CN115941228A - Method, device, system and medium for processing message and obtaining SA information - Google Patents

Abstract

A method, a device, a system and a medium for processing messages and obtaining SA information belong to the field of communication. The method is applied to first equipment, wherein an SA database corresponding to the first equipment comprises N pieces of SA information, and each piece of SA information respectively comprises an address, an SA identifier and a safety parameter. The first data plane security processing module in the first device acquires m pieces of SA information from the SA database based on a first address, wherein the first address is an address of the second device, and each piece of SA information in the m pieces of SA information comprises the first address. And performing first security processing on the payload of the message to be sent based on the security parameters included by the m pieces of SA information, and adding SA identifiers of the m pieces of SA information in the message to be sent to obtain a first message, wherein the payload of the first message is the payload after the first security processing. And the communication interface of the first equipment sends the first message to the second equipment. The method and the device can improve the efficiency of safety processing and save the expenditure of network resources.

Description

Method, device, system and medium for processing message and obtaining SA information

The present application claims priority of chinese patent application No. 202110971846.X entitled "a method and related apparatus for network encryption" filed 24/8/2021, the entire contents of which are incorporated herein by reference.

Technical Field

The present application relates to the field of communications, and in particular, to a method, an apparatus, a system, and a medium for processing a packet and acquiring SA information.

Background

In order to improve the security of data transmission in a network, when a sending end sends data, the data is encrypted by adopting a network security protocol and the like, and the processed data is sent to a receiving end.

When a sending end establishes communication connection with a receiving end at present, the sending end and the receiving end generate Security Association (SA) information through network security protocol negotiation; the transmitting end performs security processing such as encryption and/or authentication on data to be transmitted based on the SA information, and transmits the processed data to the receiving end. And after the data transmission is finished, the transmitting end disconnects the communication connection with the receiving end. When the data transmission requirement is met again, the transmitting end and the receiving end negotiate again to generate new SA information when the transmitting end reestablishes the communication connection with the receiving end, and the new SA information is used for transmitting data.

At present, when a communication connection is established between a sending end and a receiving end every time, the SA information needs to be generated through renegotiation, which not only causes low efficiency of security processing, but also causes high cost of network resources.

Disclosure of Invention

The application provides a method, a device, a system and a medium for processing messages and acquiring SA information, so as to improve the efficiency of safety processing and save the expenditure of network resources. The technical scheme is as follows:

in a first aspect, the present application provides a method for processing a packet, where the method is applied to a first device, the first device includes at least one data plane security processing module, a security association SA database corresponding to the first device includes N pieces of SA information, where N is a natural number greater than 0, and each piece of SA information in the N pieces of SA information includes an address, an SA identifier, and a security parameter. In the method, a first data plane security processing module obtains m pieces of SA information from an SA database based on a first address, where m is a natural number greater than 0 and less than or equal to N, the first address is an address of a second device, each piece of SA information in the m pieces of SA information includes the first address, and the first data plane security processing module is one data plane security processing module in at least one data plane security module included in the first device. The first data plane security processing module obtains a message to be sent, and the destination address of the message to be sent is a first address. And the first data plane security processing module performs first security processing on the payload of the message to be sent based on the security parameters included by the m pieces of SA information, and adds the SA identifiers of the m pieces of SA information in the message to be sent to obtain a first message, wherein the payload of the first message is the payload after the first security processing. The communication interface of the first device sends the first message to the second device.

Since the SA database corresponding to the first device includes N SA information, the first data plane security module obtains m SA information including the first address from the SA database based on the first address. Therefore, when the first device establishes connection with the second device and needs to send data each time, the first device and the second device do not need to negotiate to generate SA information, but the first device obtains m pieces of SA information from the first SA database based on the first address, and performs security processing on a message to be sent through the m pieces of SA information, so that the security processing efficiency is improved, and the expenditure of network resources is saved.

In a possible implementation manner, the SA database corresponding to the first device further includes attribute information corresponding to N pieces of SA information of the security association, respectively, where the attribute information corresponding to a first SA information of the N pieces of SA information includes one or more data plane security protocols capable of using the first SA information. The first data plane security processing module acquires m pieces of SA information from the SA database according to the first address and a filtering condition, wherein the attribute information of each piece of SA information in the m pieces of SA information meets the filtering condition, and the filtering condition comprises a data plane security protocol required by the first data plane security processing module.

Because the filtering condition comprises the data plane security protocol required by the first data plane security processing module, the SA information corresponding to the data plane security protocol required by different data plane security processing modules can be obtained from the SA database, so that the use of the SA information and the negotiation management of the SA information are understood and bound, the management of the network security protocol is simplified, and the expansibility is improved.

In another possible implementation manner, the attribute information corresponding to the first SA information in the N SA information further includes a source of the first SA information, and the filter condition further includes a source of the SA information required by the first data plane security processing module. The first data plane security processing module acquires m pieces of SA information from the SA database according to the first address, the data plane security protocol required by the first data plane security processing module contained in the filtering condition and the source of the SA information required by the first data plane security processing module. In some scenarios, the first data plane security processing module has a requirement on the source of the SA, and since the filtering condition includes the source of the requirement of the first data plane security processing module, the SA information meeting the requirement of the first data plane security processing module can be acquired.

In another possible implementation manner, the first data plane security processing module obtains x pieces of SA information from the SA database based on the first address, where x is a natural number greater than or equal to m and less than or equal to N. The first data plane security processing module selects m pieces of SA information from the x pieces of SA information based on a random mode or a polling mode. In this way, every time the first data plane security processing module needs to send a message with a destination address as the first address, m pieces of SA information are selected from the x pieces of SA information, so that the SA database does not need to be frequently queried.

In another possible implementation manner, the first device reports the security capability of the first device to the third device, where the security capability includes at least one supported security processing algorithm and/or at least one supported data plane security protocol, so as to support the third device to generate at least one SA information based on the security capability of the second device, the security capability of the first device, and a security policy between the first device and the second device, and store the at least one SA information in the SA database. The security policy is used for indicating a target security process and a target data plane security protocol, each SA message in at least one SA message includes an address of the second device, the SA identifier in each SA message is allocated by the third device, and the security parameter in each SA message is a parameter specified by the security policy and is a parameter supported by both the security capability of the first device and the capability of the second device.

In another possible implementation manner, the third device is a management device, and the management device is configured to generate, for each of at least three devices, SA information required by each device and a communication peer device of each device, where the at least three devices include the first device and the second device. In this way, the third device generates the SA information for the first device and the second device in a centralized manner, and the first device and the second device do not need to deploy a negotiation module for negotiating generation of the SA information, thereby saving the computing resources of the first device and the second device.

In another possible implementation manner, the third device is a negotiation device corresponding to the first device, where the negotiation device corresponding to the first device is configured to negotiate, for the first device, SA information required by the first device and a communication peer device. Therefore, the first device and the opposite-end communication device of the first device are devices in different areas (such as different countries), so that the first device can obtain the SA information by negotiating the SA information generated by the negotiation device for the first device.

In another possible implementation manner, the negotiation device corresponding to the first device is integrated in the same physical device as the first device. Therefore, the first device can directly negotiate to generate the SA information, distributed negotiation is realized, and a separate third device for counting and generating the SA information is not required to be deployed, so that the cost is saved.

In another possible implementation, the data plane security protocol includes: media access control security MACSec, internet protocol security IPSec, segment routing internet protocol version six security SRv6Sec, or secure sockets SSL.

In another possible implementation, the first data plane security processing module corresponds to at least one data plane security protocol.

In another possible implementation manner, the first device includes a plurality of data plane security processing modules, and the SA database is an SA database in which at least two data plane security processing modules of the plurality of data plane security processing modules have access rights. Thus, the SA database is a shared database of the at least two data plane security processing modules, so that different database security processing modules can share the SA information in the SA database, and the management and the use of the SA information are unbound.

In another possible implementation manner, the first SA information further includes an aging duration. When the storage duration of the first SA information in the SA database exceeds the aging duration, the first device acquires second SA information and replaces the first SA information with the second SA information, the address included in the second SA information is the same as the address included in the first SA information, and the security parameter included in the second SA information is different from the security parameter included in the first SA information. Therefore, the first SA information is updated at intervals, the first SA information is prevented from being broken for a long time, and the safety is improved.

In another possible implementation manner, the security parameters of the first SA information include a security processing algorithm and first parameters required by the security processing algorithm, the security parameters of the second SA information include second parameters required by the security processing algorithm and the security processing algorithm, and the first parameters and the second parameters are different. Therefore, the parameters required by the safety processing algorithm are updated at intervals, the first parameter is prevented from being broken for a long time, and the safety is improved.

In another possible implementation manner, the first data plane security processing module obtains the m SA information from the SA database through the common interface. Therefore, each data plane security processing module accesses the SA database through the public interface, so that different database security processing modules can share the SA information in the SA database, and the management and the use of the SA information are unbound.

In another possible implementation, the common interface includes a publish/subscribe Pub/Sub interface.

In another possible implementation, the first security process includes one or more of: encryption processing, authentication processing, tamper-proof processing or replay-proof processing.

In a second aspect, the present application provides a method for processing a packet, where the method is applied to a second device, the second device includes at least one data plane security processing module, a security association SA database corresponding to the second device includes M SA information, M is a natural number greater than 0, and each SA information in the M SA information includes an SA identifier and a security parameter. In the method, a second device receives a first message, wherein the first message comprises M SA identifiers and payloads, and M is a natural number which is greater than 0 and less than or equal to M. The second data plane security processing module acquires m pieces of SA information corresponding to the m SA identifiers from the SA database based on the m SA identifiers, and the second data plane security processing module is one of at least one data plane security processing module included in the second device. And the second data plane security processing module performs second security processing on the payload of the first message based on the security parameters included in the m pieces of SA information.

Because the SA database corresponding to the second device includes M SA information, the first packet received by the second device includes M SA identifiers, and the second data plane security module receives M SA information from the SA database based on the M SA identifiers. Therefore, when the second device establishes connection with the first device and receives a message each time, the second device and the first device do not need to negotiate to generate SA information first, but the second device acquires m pieces of SA information from the SA database based on the SA identifier in the received message, and performs security processing on the received message through the m pieces of SA information, so that the security processing efficiency is improved, and the cost of network resources is saved.

In a possible implementation manner, the second device reports the security capability of the second device to the third device, where the security capability includes at least one supported security processing algorithm and/or at least one supported data plane security protocol, so as to support the third device to generate at least one SA information based on the security capability of the first device, the security capability of the second device, and a security policy between the first device and the second device, and store the at least one SA information in an SA database. The security policy is used for indicating a target security process and a target data plane security protocol, the SA identifier in each SA message is allocated by the third device, and the security parameter in each SA message is a parameter specified by the security policy and is a parameter supported by both the security capability of the first device and the capability of the second device.

In another possible implementation manner, the third device is a management device, where the management device is configured to generate, for each device of at least three devices, SA information required by each device and a communication peer device of each device, where the at least three devices include a first device and a second device, and a negotiation device corresponding to the second device is configured to negotiate, for the second device, the SA information required by the second device and the communication peer device. In this way, the third device generates the SA information for the first device and the second device in a centralized manner, and the first device and the second device do not need to deploy a negotiation module for negotiating generation of the SA information, thereby saving the computing resources of the first device and the second device.

In another possible implementation manner, the third device is a negotiation device corresponding to the second device, and the negotiation device corresponding to the second device is configured to negotiate, for the second device, SA information required by the second device and the communication peer device. Therefore, the second device and the opposite-end communication device of the second device are devices in different areas (such as different countries), so that the second device is negotiated through the negotiation device to generate the SA information, and the second device is ensured to obtain the SA information.

In another possible implementation manner, the first SA information further includes an aging duration. And when the storage duration of the first SA information in the SA database exceeds the aging duration, the second device acquires second SA information and replaces the first SA information with the second SA information, wherein the address included in the second SA information is the same as the address included in the first SA information, and the security parameter included in the second SA information is different from the security parameter included in the first SA information. Therefore, the first SA information is updated at intervals, the first SA information is prevented from being broken for a long time, and the safety is improved.

In another possible implementation manner, the security parameters of the first SA information include a security processing algorithm and first parameters required by the security processing algorithm, the security parameters of the second SA information include second parameters required by the security processing algorithm and the security processing algorithm, and the first parameters and the second parameters are different. Therefore, the parameters required by the safety processing algorithm are updated at intervals, the first parameter is prevented from being broken for a long time, and the safety is improved.

In another possible implementation manner, the second data plane security processing module obtains, based on the m SA identifiers, m SA information corresponding to the m SA identifiers from the SA database through the public interface. Therefore, each data plane security processing module accesses the SA database through the public interface, so that different database security processing modules can share the SA information in the SA database, and the management and the use of the SA information are unbound.

In another possible implementation, the common interface includes a publish/subscribe Pub/Sub interface.

In another possible implementation, the second security process includes one or more of: decryption processing, authentication processing, tamper-proof processing or replay-proof processing.

In a third aspect, the present application provides a method for acquiring SA information of a security association, in which: the method comprises the steps of obtaining the security capability of first equipment, the security capability of second equipment and a security policy between the first equipment and the second equipment. The security capability of the first device comprises a security processing algorithm supported by the first device and/or a data plane security protocol supported by the first device, the security capability of the second device comprises a security processing algorithm supported by the second device and/or a data plane security protocol supported by the second device, and the security policy is used for indicating a target security processing and a target data plane protocol. Generating at least one piece of SA information based on the security capability of the first device, the security capability of the second device and the security policy, wherein each piece of SA information in the at least one piece of SA information comprises a first address, an SA identifier and a security parameter; the security parameters are parameters specified by the security policy and are parameters supported by both the security capabilities of the first device and the security capabilities of the second device.

By obtaining the security capability of the first device, the security capability of the second device and the security policy between the first device and the second device, at least one piece of SA information is generated based on the security capability of the first device, the security capability of the second device and the security policy, so that the SA information can be generated for the first device and the second device in a unified manner. In this way, the first device and the second device do not include a negotiation module, thereby saving computational resources of the first device and the second device.

In a possible implementation manner, attribute information corresponding to at least one SA information is generated based on the security capability of the first device, the security capability of the second device, and the security policy, and the attribute information corresponding to a first SA information in the at least one SA information includes one or more data plane security protocols capable of using the first SA information. Because the attribute information corresponding to the first SA comprises one or more data plane security protocols capable of using the first SA information, and the filtering condition for the data plane security processing module to acquire the SA information comprises the data plane security protocol required by the data plane security processing module, different data plane security processing modules acquire the SA information corresponding to the data plane security protocol required by different data plane security processing modules based on the filtering condition, so that the use of the SA information and the negotiation management and understanding of the SA information are bound, the management of the network security protocol is simplified, and the expansibility is improved.

In another possible implementation manner, the protocol set and the algorithm set are obtained based on the security capability of the first device, the security capability of the second device, and the security policy. The protocol set is an intersection of a data plane security protocol supported by the first device, a data plane security protocol supported by the second device, and a target data plane security protocol, and the algorithm set is an intersection of a security processing algorithm supported by the first device and a security processing algorithm supported by the second device. At least one SA message is generated based on the protocol set, the algorithm set, and the target security process.

In another possible implementation manner, the security parameters in the first SA information include a first security processing algorithm and parameters required by the first security processing algorithm, the first security processing algorithm is an algorithm in an algorithm set, and a data plane security protocol corresponding to the first security processing algorithm is a protocol in a protocol set.

In another possible implementation manner, at least one SA information is stored in the SA database corresponding to the first device, and/or at least one SA information is stored in the SA database corresponding to the second device.

In a fourth aspect, the present application provides an apparatus for processing a packet, configured to execute the method in the first aspect or any one of the possible implementation manners of the first aspect. In particular, the apparatus comprises means for performing the first aspect or the method in any one of its possible implementations.

In a fifth aspect, the present application provides an apparatus for processing a packet, which is configured to execute the method in the second aspect or any one of the possible implementation manners of the second aspect. In particular, the apparatus comprises means for performing the second aspect or the method in any one of its possible implementations.

In a sixth aspect, the present application provides an apparatus for obtaining SA information of a security association, configured to perform the method in the third aspect or any one of the possible implementation manners of the third aspect. In particular, the apparatus comprises means for performing the method of the third aspect or any one of its possible implementations.

In a seventh aspect, the present application provides an apparatus for processing a packet, where the apparatus includes a processor and a memory. Wherein, the processor and the memory can be connected through an internal connection. The memory is configured to store a program, and the processor is configured to execute the program in the memory, so that the apparatus performs the method of the first aspect or any possible implementation manner of the first aspect.

In an eighth aspect, the present application provides an apparatus for processing a packet, where the apparatus includes a processor and a memory. Wherein, the processor and the memory can be connected through an internal connection. The memory is configured to store a program, and the processor is configured to execute the program in the memory, so that the apparatus performs the method of the second aspect or any possible implementation manner of the second aspect.

In a ninth aspect, the present application provides an apparatus for acquiring SA information, the apparatus comprising a processor and a memory. Wherein, the processor and the memory can be connected through an internal connection. The memory is configured to store a program, and the processor is configured to execute the program in the memory, so that the apparatus performs the method in the third aspect or any possible implementation manner of the third aspect.

In a tenth aspect, the present application provides a computer program product, where the computer program product includes a computer program stored in a computer-readable storage medium, and the computer program is loaded by a processor to implement the method of the first aspect, the second aspect, the third aspect, any possible implementation manner of the first aspect, any possible implementation manner of the second aspect, or any possible implementation manner of the third aspect.

In an eleventh aspect, the present application provides a computer-readable storage medium for storing a computer program, which is loaded by a processor to perform the method of the first aspect, the second aspect, the third aspect, any possible implementation manner of the first aspect, any possible implementation manner of the second aspect, or any possible implementation manner of the third aspect.

In a twelfth aspect, the present application provides a chip, including a memory and a processor, where the memory is used to store computer instructions, and the processor is used to call and execute the computer instructions from the memory, so as to execute the first aspect, the second aspect, the third aspect, any possible implementation manner of the first aspect, any possible implementation manner of the second aspect, or a method of any possible implementation manner of the third aspect.

In a thirteenth aspect, the present application provides an apparatus for processing a packet, including a memory and a processor, where the memory is configured to store computer instructions, and the processor is configured to call and execute the computer instructions from the memory, so as to execute the method according to the first aspect, the second aspect, any possible implementation manner of the first aspect, or any possible implementation manner of the second aspect.

In a fourteenth aspect, the present application provides an apparatus for acquiring SA information, including a memory and a processor, where the memory is configured to store computer instructions, and the processor is configured to call and execute the computer instructions from the memory, so as to execute the method in any possible implementation manner of the third aspect or the third aspect.

In a fifteenth aspect, the present application provides a system for processing packets, including the apparatus of the fourth aspect and the apparatus of the fifth aspect, or including the apparatus of the seventh aspect and the apparatus of the eighth aspect.

In a possible implementation manner, the system further includes the apparatus of the sixth aspect or the apparatus of the ninth aspect.

Drawings

Fig. 1 is a flowchart of negotiating a key generation provided in an embodiment of the present application;

fig. 2 is a flowchart of SA negotiation setup provided in an embodiment of the present application;

FIG. 3 is a flow diagram of a negotiated key exchange provided by an embodiment of the application;

fig. 4 is a schematic diagram of a network architecture provided in an embodiment of the present application;

fig. 5 is a schematic diagram of another network architecture provided by an embodiment of the present application;

fig. 6 is a schematic diagram of another network architecture provided in an embodiment of the present application;

fig. 7 is a schematic diagram of another network architecture provided in an embodiment of the present application;

fig. 8 is a flowchart of a method for obtaining SA information in a centralized manner according to an embodiment of the present application;

fig. 9 is a flowchart of a distributed method for acquiring SA information according to an embodiment of the present application;

fig. 10 is a flowchart of a method for processing a message according to an embodiment of the present application;

fig. 11 is a flowchart of another method for processing a message according to an embodiment of the present application;

fig. 12 is a schematic structural diagram of a device for processing a packet according to an embodiment of the present application;

fig. 13 is a schematic structural diagram of another device for processing a message according to the embodiment of the present application;

fig. 14 is a schematic structural diagram of an apparatus for acquiring SA information according to an embodiment of the present application;

fig. 15 is a schematic structural diagram of an apparatus for processing a packet according to an embodiment of the present application;

fig. 16 is a schematic structural diagram of another apparatus for processing a packet according to the embodiment of the present application;

fig. 17 is a schematic structural diagram of an apparatus for acquiring SA information according to an embodiment of the present application.

Detailed Description

Embodiments of the present application will be described in further detail below with reference to the accompanying drawings.

Often, the cross-network link is insecure, as little as personal privacy, as much as national confidentiality, and data is transferred from the internet to the internet, which can present network security issues. In order to improve the security of data transmission, the sending end uses the SA information to perform security processing on data to be sent, and sends the data subjected to security processing to the receiving end.

In the network, a security processing scheme is contained in each layer of protocol, whether the layer is a physical layer, a data link layer, a network layer, or a session layer and an application layer of an upper layer. These security processing schemes include media access control security (MACSec), internet protocol security (IPSec), and/or Secure Sockets (SSL), etc.

MACSec defines a method for secure communication of data over an IEEE 802 local area network. The MACSec can provide secure MAC layer data transmission and reception services for users, including user data encryption and decryption, data frame integrity check, data source authenticity check, and replay protection. MACSec Key Agreement (MKA) in MACSec defines a key management protocol, and defines that protocol packets still adopt an 802.1X packet format. MACSec is an improvement and extension to the original 802.1X protocol. And encrypting and checking the integrity of the authenticated user data by using a secret key generated by the MKA protocol negotiation, so as to avoid the port from processing the message of the unauthenticated device or the tampered message of the unauthenticated device. MACSec provides hop-by-hop secure transmission of data using a two-layer encryption technique.

See figure 1 for a flow of keys (i.e., SA information) generated by MACSec using MKA protocol negotiation. The MKA defines that a configured Pre-Shared Key (PSK) is used as a security Connection Association Key (CAK) between the devices, and a session is negotiated through an EAPOL-MKA message (wherein EAPOL is an extended authentication protocol based on a local area network, and the English of EAPOL is called as an extended authentication protocol over LAN). The MKA elects a port with a higher priority among multiple devices as a Key Server (Key Server), and the Key Server is responsible for generating and distributing Security Association Keys (SAK). Here, MI (Number identifier) in fig. 1 is a member identifier, and MN (Message Number) is a Message Number. CA1 and CA2 are members of a Certificate Authority (CA) associated with the same secure link.

IPsec is a three-layer tunnel encryption protocol proposed by the Internet Engineering Task Force (IETF) to provide high-quality, interoperable, cryptography-based security guarantees for data transmitted over the Internet (Internet). The following security services are provided between specific communication parties through ways of encryption, data source authentication and the like at an IP layer: data confidentiality, data integrity, data source authentication and anti-replay. Internet Key Exchange (IKE) in IPSec can implement an auto-negotiation function of a key, reducing overhead of the key negotiation. The service of the SA can be established and maintained through IKE, simplifying the use and management of IPsec.

Referring to fig. 2, the internet key exchange version 2 (ikev 2) can complete the negotiation setup of the first pair of IPSec SAs by an initial exchange. In fig. 5, messages (1) and (2) belong to a first exchange (referred to as IKE SA INIT exchange) and the parameters negotiation of IKE SA is done in plaintext, including negotiating encryption and authentication algorithms, exchanging nonce and diffie-hellman (DH) exchanges. After the IKE SA INIT exchange, a shared key material is generated from which all keys of the IPSec SA can be derived.

Messages (3) and (4) belong to the second exchange (called IKE AUTH exchange), and the authentication of the identity, the authentication of the first two messages and the negotiation of the parameters of the IPSec SA are done in an encrypted manner. IKEv2 supports asymmetric encryption (RSA) signature authentication, pre-shared key authentication, and extended authentication methods (EAPs). EAP authentication is implemented in IKE as an additional IKE AUTH exchange, with the initiator indicating the need to use EAP authentication by omitting the authentication payload in message 3.

SSL is a solution to the web security problem and is located between the application layer and the transport layer. SSL is theoretically capable of providing security assurance for all reliably connected application layer protocols based on Transmission Control Protocol (TCP). SSL also uses data encryption, authentication, and message integrity verification mechanisms to secure data transmitted over a network. SSL has become a global standard in networks for authenticating sites and web browser identities, and for encrypted communications between browser users and web servers (webservers). The SSL protocol has been integrated into most browsers, such as internet browsers (internet explore), google browsers (chrome), firefox browsers (Firefox), and so on. This means that any computer equipped with a browser supports SSL connections. No additional client (client) software needs to be installed. The SSL handshake protocol is used to negotiate a cipher suite (encryption algorithm, key exchange algorithm, MAC algorithm, etc.) used in a communication process, securely exchange keys between the server and the client, and implement authentication of the server and the client.

Referring to the SSL negotiation key exchange process shown in fig. 3, the process includes the following steps 1-5.

1.client_hello

The client _ hello is a request initiated by the client, transmits request information in a plaintext, and comprises version information, an encryption suite candidate list, a compression algorithm candidate list, a random number, an expansion field and other information. A list of client supported encryption suites (ciphers), each corresponding to a combination of four functions in the Transport Layer Security (TLS) principle in front: authentication algorithm Au (for authentication), key exchange algorithm KeyExchange (for key agreement), symmetric encryption algorithm Enc (for information encryption), and information digest Mac (for integrity check).

2.server_hello+server_certificate+sever_hello_done

And a server _ hello, which returns a negotiated information result for the server, including a version of a protocol selected for use (version), a cipher suite selected (cipher suite), a compression algorithm selected (compression method), a random number (random _ S), and the like, wherein the random number is used for subsequent key negotiation.

server _ certificates, configuring a corresponding certificate chain for the server side, and using the certificate chain for identity authentication and key exchange.

And the server _ hello _ done is used for informing the client that the sending of the server _ hello information is finished.

3. Certificate verification

4.client_key_exchange+change_cipher_spec+encrypted_handshake_message

And after the client _ key _ exchange passes the validity verification, the client calculates and generates a random number 'Pre-master', encrypts the random number with a certificate public key and sends the random number 'Pre-master' to the server. At this time, the client has obtained all information required for calculating the negotiation key, including: two plaintext random numbers random _ C and random _ S, pre-master generated by self calculation and negotiation key obtained by calculation, wherein the negotiation key is as follows: enc _ key = Fuc (random _ C, random _ S, pre-Master).

And changing _ cipher _ spec, wherein the client informs the server that the subsequent communication adopts the negotiated communication key and the encryption algorithm to carry out encryption communication.

The encrypted _ handshake _ message is combined with the hash (hash) values of all the communication parameters and other related information to generate a segment of data, and the segment of data is encrypted by using a session secret negotiation algorithm and then sent to a server for data and handshake verification.

5.change_cipher_spec+encrypted_handshake_message

The server decrypts the encrypted Pre-master data by using a private key, and calculates to obtain a negotiation key based on two plaintext random numbers random _ C and random _ S which are exchanged: enc _ key = Fuc (random _ C, random _ S, pre-Master); and calculating the hash value of all the received information, then decrypting the encrypted _ message sent by the client, and verifying the correctness of the data and the key.

And after the verification is passed, the server also sends the change _ cipher _ spec to inform the client that the subsequent communication adopts the negotiated key and algorithm to carry out encrypted communication.

The server also combines all current communication parameter information to generate a piece of data, encrypts by adopting a negotiation key secret and an algorithm, and sends the encrypted data to the client.

Each network security protocol has its own control plane key agreement protocol (producer of SA) and data plane encryption protocol (consumer of SA), e.g., MACSec uses MKA to negotiate SA and IPSec uses IKE to negotiate SA. Currently, in one link, two communication parties negotiate the SA using a control plane key negotiation protocol (SA producer), and the negotiated AS can only be used for a data plane encryption protocol (SA consumer) in the present connection to encrypt the transmitted data. That is, the SA negotiated by one connection can only protect the communication data of the data plane of this link. Therefore, at present, strong binding is generated between the negotiation management of the control plane SA and the use of the data plane SA, the management is complex, the expansibility is poor, and the addition of new encryption characteristics (such as double encryption) is difficult.

Referring to fig. 4, an embodiment of the present application provides a network architecture 100, including: a first device 101 and a second device 102, there being a communication connection between the first device 101 and the second device 102.

In some embodiments, the first device 101 and the second device 102 are both located in a communication network, and the first device 101 establishes a communication connection with the second device 102 in the communication network to enable the first device 101 to communicate with the second device 102. Of course, there are other ways to implement the communication between the first device 101 and the second device 102, which are not listed here.

The first device 101 has a corresponding first SA database 103, where the first SA database 103 is used to store N SA information, where N is a natural number greater than 0. For each SA information of the N SA information, each SA information includes an address, an SA identification, and a security parameter.

Optionally, in some embodiments, the first SA database 103 further includes attribute information corresponding to the N SA information. The first SA database 103 includes a correspondence relationship between SA information and attribute information, which is used to store each SA information and attribute information corresponding to each SA information for each of the N SA information.

For convenience of description, the SA information is referred to as first SA information, and the attribute information corresponding to the first SA information includes one or more data plane security protocols that can use the first SA information.

The first device 101 includes at least one data plane security processing module, and the first device 101 performs first security processing on a packet sent by the first device 101 to the second device using the SA information. When implemented:

for the message to be sent to the second device 102, the destination address of the message to be sent is the address of the second device 102, and the first data plane security processing module in the first device 101 performs the first security processing on the payload of the message to be sent by using the security parameters included in the m SA information. m is an integer greater than 0 and less than or equal to N, the m SA information is SA information in the first SA database 103, and the m SA information includes an address that is an address of the second device 102. The first data plane security processing module is any one of at least one data plane security processing module included in the first device 101, and adds the SA identifiers of the m SA information in the message to be sent to obtain a first message, where a payload of the first message is a payload after the first security processing. The communication interface of the first device 101 then sends the first message to the second device 102.

Optionally, in some embodiments, the first device 101 includes a plurality of data plane security processing modules, that is, the first device 101 includes two data plane security processing modules or more than two data plane security processing modules. At least two of the plurality of data plane security processing modules have access to the first SA database 103.

Optionally, in some embodiments, the first data plane security processing module in the first device 101 corresponds to at least one data plane security protocol. The data plane security protocol for each data plane security processing module in the first device 101 may be different.

Optionally, in some embodiments, the data plane security protocol corresponding to the first data plane security processing module is configured by a network administrator. After the network manager configures the data plane security protocol corresponding to the first data plane security processing module, the network manager may also modify the data plane security protocol corresponding to the first data plane security processing module.

In some embodiments, the data plane security protocols include, but are not limited to, one or more of the following: IPSec, MACSec, segment routing internet protocol version six security (srv6sec), or SSL, among others.

In some embodiments, a detailed process of the first device 101 for processing the message to be sent will be described in the embodiment shown in fig. 10, which will not be described in detail here.

The second device 102 has a corresponding second SA database 104, and the second SA database 104 is used for storing M SA information. The partial SA information existing in the first SA database 103 is the same as the partial SA information existing in the second SA database 104, the number of the same SA information is greater than or equal to M, and M is a natural number greater than or equal to M.

Optionally, in some embodiments, the second SA database 104 further includes attribute information corresponding to the M SA information. The second SA database 104 includes a correspondence relationship between SA information and attribute information, which is used to store each SA information of the M SA information and attribute information corresponding to each SA information.

The second device 102 includes at least one data plane security processing module, and after the first device 101 sends the first packet, the communication interface of the second device 102 receives the first packet. The second data plane security processing module in the second device 102 obtains m SA information corresponding to the m SA identifiers from the second SA database 104 based on the m SA identifiers included in the first packet, and performs second security processing on a payload included in the first packet based on security parameters included in the m SA information. The second data plane security processing module is any one of at least one data plane security processing module included in the second device 102.

Optionally, in some embodiments, the second device 102 includes a plurality of data plane security processing modules, i.e., the second device 102 includes two data plane security processing modules or more than two data plane security processing modules. At least two of the plurality of data plane security processing modules have access to the second SA database 104.

In some embodiments, the second data plane security processing module in the second device 102 corresponds to at least one data plane security protocol. The data plane security protocol for each data plane security processing module in the second device 102 may be different.

In some embodiments, the data plane security protocol corresponding to the second data plane security processing module is configured by a network administrator. After the network administrator configures the data plane security protocol corresponding to the second data plane security processing module, the network administrator may also modify the data plane security protocol corresponding to the second data plane security processing module.

In some embodiments, the detailed process of processing the first packet by the second device 102 will be described in the embodiment shown in fig. 11, and will not be described in detail here.

The first device 101 and the second device 102 use the same SA information between the first SA database 103 and the second SA database 104 to perform security processing on the message sent by the first device 101 to the second device 102, thereby improving the security of sending the message.

It is assumed that the same SA information includes first SA information including security parameters that are required for the first device 101 to perform the first security process and the second device 102 to perform the second security process.

In some embodiments, the security parameter includes information such as a security processing algorithm, which is an algorithm for implementing the first security process and the second security process, and a parameter required for the security processing algorithm.

For example, the first security process includes, but is not limited to, one or more of: encryption processing, authentication processing, tamper-proof processing, replay-proof processing, or the like. The second security treatment includes, but is not limited to, one or more of: decryption processing, authentication processing, tamper-proof processing, or replay-proof processing.

It is assumed that the first security process includes an encryption process, and the second security process is a decryption process, and the security parameter includes an encryption/decryption algorithm and information such as a parameter required by the encryption/decryption algorithm. The first safety processing realized by the encryption and decryption algorithm is encryption processing, the second safety processing realized by the encryption and decryption algorithm is decryption processing, and parameters required by the encryption and decryption algorithm comprise parameters such as a key and/or key length.

Further, it is assumed that the first security process includes an encryption process and an authentication process, and the second security process is a decryption process and an authentication process. That is to say, after encrypting the payload of the message to be sent, the first device 101 further calculates the encrypted payload to obtain a first information digest, where the first message sent by the first device 101 further includes the first information digest. The second device 102 calculates the payload in the first message to obtain a second message digest, compares the first message digest with the second message digest, and if the first message digest and the second message digest are the same, authenticates the first message and decrypts the payload in the first message. Therefore, for the security processing algorithm for implementing the first security processing and the second security processing, the security processing algorithm includes an encryption/decryption algorithm and an algorithm for calculating the message digest, and the security parameters include information such as the encryption/decryption algorithm, the algorithm for calculating the message digest, parameters required for the encryption/decryption algorithm, and parameters required for calculating the message digest algorithm.

Optionally, in some embodiments, the first SA information further includes, but is not limited to, one or more of the following: aging duration or safety mode, etc.

In some embodiments, the security mode includes, but is not limited to, one or more of the following: an encryption mode, an authentication mode, etc.

In some embodiments, the first security process and/or the second security process is a process for increasing the security of data transmitted between the first device 101 and the second device 102.

In some embodiments, the first device 101 is a terminal device or a routing device, the second device 102 is a terminal device or a routing device, and the routing device is a router, a switch, a gateway, or the like. For example, the first device 101 and the second device 102 are two edge routing devices of an untrusted network, and the first device 101 sends a message to the second device 102 through the network. Since the network is not trusted, the first device 101 and the second device 102 need to perform secure processing on the message.

Optionally, in some embodiments, the first device 101 includes the first SA database 103, or the first SA database 103 is located in a different device from the first device 101, for example, the first SA database 103 is located on a storage device.

Optionally, in some embodiments, the second device 102 includes the second SA database 104, or the second SA database 104 is located in a different device than the second device 102, e.g., the second SA database 104 is located on a storage device.

Optionally, in some embodiments, the first SA database 103 and the second SA database 104 are located on the same storage device, and the first SA database 103 and the second SA database 104 are the same SA database, and the SA database is bound to the address of the first device and the address of the second device.

The embodiment of the application provides a plurality of schemes for negotiating and generating the SA database corresponding to each communication opposite terminal device. Optionally, one of the solutions is a centralized SA negotiation solution, as shown in fig. 5, there is a dedicated negotiation management device in the network, so as to generate, for each device of at least three devices, SA information required by each device and a communication peer device of each device, respectively, where the at least three devices include the first device 101 and the second device 102.

Another scheme is to adopt a distributed SA negotiation scheme, as shown in fig. 7, each correspondent device has a corresponding negotiation device. For example, the first negotiation device corresponding to the first device 101 negotiates, for the first device 101, SA information required by the first device 101 and the communication peer device.

Optionally, referring to fig. 5, the network architecture 100 further comprises a third device 105, the third device 105 being in communication with the first device 101 and the second device 102, respectively. The third device is a negotiation management device, and is configured to generate SA information for a plurality of devices in the network according to security capabilities and security policies of the plurality of devices in the centralized SA negotiation scheme shown in fig. 5.

In some embodiments, the third device 105 is located in a communication network in which the third device 105 establishes a communication connection with the first device 101 to enable communication with the first device 101. The third device 105 establishes a communication connection with the second device 102 in the communication network to enable communication with the second device 102.

The third device 105 is configured to generate, for each of at least three devices, SA information required by each device and a communication peer device of each device, respectively, where the at least three devices include the first device 101.

For example, the communication peer device of the first device 101 is the second device 102. The third device 105 generates at least one SA information based on the security policy between the first device 101 and the second device 102, the security capability of the first device 101, and the security capability of the second device 102. At least one SA information is stored in the first SA database 103 and/or at least one SA information is stored in the second SA database 104.

In some embodiments, the third device 105 further generates attribute information corresponding to the at least one SA information based on a security policy between the first device 101 and the second device 102, a security capability of the first device 101, and a security capability of the second device 102. Thus, the third device 105 stores each piece of SA information and attribute information corresponding to each piece of SA information in the correspondence relationship between the SA information and the attribute information included in the first SA database 103, and/or stores each piece of SA information and attribute information corresponding to each piece of SA information in the correspondence relationship between the SA information and the attribute information included in the second SA database 104.

The security capability of the first device includes at least one security processing algorithm supported by the first device and/or at least one data plane security protocol supported by the first device, and the security capability of the second device includes at least one security processing algorithm supported by the second device and/or at least one data plane security protocol supported by the second device. The security policy is to indicate a target security processing algorithm and/or a target data plane security protocol.

The detailed process of the third device 105 generating the SA information will be described in the following embodiment shown in fig. 8, and will not be described in detail here.

In some embodiments, referring to fig. 6, the third device 105 includes, but is not limited to, one or more of the following: a controller 1051, a network management device 1052, a Quantum Key Distribution (QKD) device 1053, or a control plane device corresponding to a data plane security protocol. For example, referring to fig. 6, the control plane device corresponding to the data plane security protocol is a Manual (Manual) control plane device 1054 corresponding to SSL, and the like.

Optionally, referring to fig. 7, the network architecture 100 further includes a first negotiation device 106 corresponding to the first device 101 and a second negotiation device 107 corresponding to the second device 102, the first negotiation device 106 communicates with the first device 101 and the second negotiation device 107, respectively, and the second negotiation device 107 also communicates with the second device 102.

In some embodiments, the first negotiation device 106 and the second negotiation device 107 are located in a communication network in which the first negotiation device 106 establishes a communication connection with the first device 101 and the second negotiation device 107, respectively, to enable communication with the first device 101 and the second negotiation device 107; the second negotiation device 107 establishes a communication connection with the second device 102 in the communication network to enable communication with the second device 102.

The first negotiation device 106 is configured to negotiate, for the first device 101, SA information required by the first device 101 and a communication peer device. The second negotiation device 107 is configured to negotiate, for the second device 102, SA information required by the second device 102 and a device of a correspondent node.

Alternatively, referring to fig. 7, the first device 101 and the first negotiation device 106 are different physical devices, and the second device 102 and the second negotiation device 107 are different physical devices. This case may be applied to a scenario where the first device 101 and the second device 102 are located in different areas (e.g., different countries). The first device 101 and the first negotiation device 106 are located in the same area (this area is referred to as a first area), and the second device 102 and the second negotiation device 107 are located in the same area (this area is referred to as a second area). The first negotiation device 106 and the second negotiation device 107 negotiate to generate SA information required for the first device 101 and the second device 102. Optionally, in this scenario, the first negotiation device 106 may be configured to generate, for each device in the first area, SA information required by each device and a communication peer device of each device. The second negotiation device 107 can negotiate to generate SA information required by each device and a communication peer device of each device for each device in the second area.

Alternatively, the first device 101 and the first negotiation device 106 are integrated in the same physical device, and the second device 102 and the second negotiation device 107 are integrated in the same physical device. The first negotiation device 106 is a negotiation module in the first device 101 and the second negotiation device 107 is a negotiation module in the second device 102.

The first negotiation device 106 is a control plane device corresponding to a server or a data plane security protocol, and the second negotiation device 107 is a control plane device corresponding to a server or a data plane security protocol.

For example, the first negotiation device 106 is an MKA control plane device corresponding to the MACSec, and the second negotiation device 107 is also an MKA control plane device. Alternatively, the first negotiation device 106 is an IKE control plane device corresponding to IPSec, and the second negotiation device 107 is also an IKE control plane device.

For the corresponding relationship between the SA information and the attribute information stored in the first SA database and the corresponding relationship between the SA information and the attribute information stored in the second SA database, several ways of storing the corresponding relationship between the SA information and the attribute information in the first SA database and/or the second SA database are listed in detail below. The modes are respectively a centralized mode and a distributed mode.

For the centralized manner, the centralized manner is applied to the network architecture 100 shown in fig. 5 or fig. 6, and in the centralized manner, the third device generates at least one SA information. The at least one SA information is stored in a first SA database (e.g., the first SA database 103 shown in fig. 5 or 6) and/or the at least one SA information is stored in a second SA database (e.g., the second SA database 104 shown in fig. 5 or 6).

Referring to fig. 8, when implemented, a centralized manner is realized by the following flow of steps 501 to 505. The flow of steps 501 to 505 in a centralized manner includes steps 501-505.

Step 501: the first device reports the security capability of the first device to the third device, where the security capability of the first device includes at least one security processing algorithm supported by the first device and/or at least one data plane security protocol supported by the first device.

The at least one security processing algorithm supported by the first device is a security processing algorithm included in the first device.

In step 501, the first device includes at least one data plane security processing module, where each data plane security processing module corresponds to at least one data plane security protocol. Therefore, the first device obtains the data plane security protocol corresponding to each data plane security processing module included therein to obtain at least one data plane security protocol supported by the first device.

For any data plane security processing module in the first device, the data plane security processing module may invoke one or more security processing algorithms in the first device, and implement the first security processing using the invoked security processing algorithms.

For example, assuming a case where the first security processing includes encryption processing, a security processing algorithm for realizing the encryption processing is an encryption/decryption algorithm. The first device comprises one or more encryption and decryption algorithms, the data plane security processing module calls the encryption and decryption algorithms in the first device, and encryption processing is realized by using the called encryption and decryption algorithms.

Assuming again that the first security process includes an encryption process and an authentication process, the first device includes one or more encryption/decryption algorithms and one or more algorithms for calculating a message digest, the data plane security processing module calls the encryption/decryption algorithms in the first device and the algorithms for calculating the message digest, and implements the encryption process and the authentication process using the called encryption/decryption algorithms and the algorithms for calculating the message digest.

Optionally, in some embodiments, for each security processing algorithm in the first device, the security processing algorithm corresponds to a data plane security protocol, and the first device uses the security processing algorithm to implement the first security processing based on the data plane security protocol.

For example, the data plane security protocol supported by the first device includes one or more of: MACSec, IPSec, SSL, or SRv6Sec, etc. Taking IPSec as an example, the first device may include an encryption and decryption algorithm corresponding to IPSec and/or an algorithm for calculating a digest of information, and the first device uses the encryption and decryption algorithm and/or the algorithm for calculating a digest of information to implement encryption processing and/or authentication processing based on IPSec. Taking MACSec as an example, the first device may further include an encryption/decryption algorithm corresponding to MACSec and/or an algorithm for calculating an information digest, and the first device implements encryption processing and/or authentication processing based on MACSec using the encryption/decryption algorithm and/or the algorithm for calculating an information digest.

In some embodiments, the first device sends first device information to the third device, where the first device information includes information such as an algorithm identifier of at least one security processing algorithm supported by the first device and/or a protocol identifier of at least one data plane security protocol supported by the first device, so as to report the security capability of the first device to the third device.

For example, assuming that the first device includes an encryption/decryption algorithm corresponding to MACSec and the address of the first device is "192.168.178.5", the data plane security protocol supported by the first device includes MACSec. The first device sends first device information to the third device, wherein the first device information comprises an algorithm identifier 'ID-MAC ency' of an encryption and decryption algorithm supported by the first device and a protocol identifier 'ID-MAC' of a data plane security protocol supported by the first device.

Step 502: the second device reports the security capability of the second device to the third device, where the security capability of the second device includes at least one security processing algorithm supported by the second device and/or at least one data plane security protocol supported by the second device.

In step 502, the second device includes at least one data plane security processing module, each corresponding to at least one data plane security protocol. Therefore, the second device obtains the data plane security protocol corresponding to each data plane security processing module included therein to obtain at least one data plane security protocol supported by the second device.

The second device also includes at least one security processing algorithm, and for any data plane security processing module in the second device, the data plane security processing module may invoke one or more security processing algorithms in the second device, and implement the second security processing using the invoked security processing algorithms.

For example, assuming a case where the second secure processing includes decryption processing, the secure processing algorithm used to implement the decryption processing is an encryption/decryption algorithm, the second device includes one or more encryption/decryption algorithms, and the data plane secure processing module calls the encryption/decryption algorithm in the second device, and implements the decryption processing using the called encryption/decryption algorithm.

Assuming again that the second security process includes a decryption process and an authentication process, the second device includes one or more encryption/decryption algorithms and one or more algorithms for computing a message digest, the data plane security processing module calls the encryption/decryption algorithms in the second device and the algorithms for computing the message digest, and implements the decryption process and the authentication process using the called encryption/decryption algorithms and the algorithms for computing the message digest.

In some embodiments, for each security processing algorithm in the second device, the security processing algorithm corresponds to a data plane security protocol, the second device using the security processing algorithm to implement a second security process based on the data plane security protocol.

In some embodiments, the second device sends second device information to the third device, where the second device information includes information such as an algorithm identifier of at least one security processing algorithm supported by the second device and/or a protocol identifier of at least one data plane security protocol supported by the second device, so as to report the security capability of the second device to the third device.

For example, assuming that the second device includes a cryptographic algorithm corresponding to MACSec and the address of the second device is "192.168.1.4", the data plane security protocol supported by the second device includes MACSec. And the second equipment sends second equipment information to the third equipment, wherein the second equipment information comprises an algorithm identifier 'ID-MAC ency' of an encryption and decryption algorithm supported by the second equipment and a protocol identifier 'ID-MAC' of a data plane security protocol supported by the second equipment.

Step 503: the third device obtains a security policy, where the security policy includes a first address, a second address, and security requirement information, the first address is an address of the second device, and the second address is an address of the first device.

The security requirement information is used for indicating a target security process and a target data plane security protocol, and the security requirement information substantially indicates that the target security process based on the target data plane security protocol needs to be executed on the message sent by the first device to the second device.

In some embodiments, the security requirement information includes a process type of the target security process and a protocol identification of the target data plane security protocol. The first address is the destination address of the message and the second address is the source address of the message.

For example, assume that the security policy includes a first address of "192.168.1.4", a second address of "192.168.178.5", the target security processing type includes encryption, the protocol identifier of the target data plane security protocol includes "ID-MAC" and "ID-SRv6", and "ID-SRv6" is the protocol identifier of SRv6Sec. 192.168.1.4 is the address of the second device, 192.168.178.5 is the address of the first device, and the security policy is used to indicate that the message of the second device needs to be sent to the first device, and perform encryption processing based on SRv6Sec, and/or perform encryption processing based on IPSec.

In some embodiments, the third device displays an input interface, the network administrator inputs the security policy in the input interface, and the third device obtains the security policy from the input interface.

In some embodiments, the network management personnel inputs the security policy on the network management device corresponding to the network management personnel, the network management device sends the security policy to the third device, and the third device receives the security policy.

The execution sequence among the step 501, the step 502 and the step 503 is not sequential, and the step 501, the step 502 and the step 503 can be executed first; alternatively, step 502 may be executed first, step 501 may be executed, and step 503 may be executed thereafter; or, step 503 may be executed first, step 501 may be executed, and step 502 may be executed thereafter; alternatively, step 501, step 502, and step 503 may be performed simultaneously. The execution sequence among step 501, step 502 and step 503 may have other sequences besides the above listed ones, and is not listed here.

Step 504: and the third equipment acquires the security capability of the first equipment and the security capability of the second equipment, and generates at least one piece of SA information based on the security capability of the first equipment, the security capability of the second equipment and the security policy.

In step 504, the third device further generates attribute information corresponding to at least one SA information based on the security capability of the first device, the security capability of the second device, and the security policy.

And the third equipment receives the first equipment information and the second equipment information so as to acquire the security capability of the first equipment and the security capability of the second equipment.

For convenience of description, the SA information is referred to as first SA information, and the first SA information includes contents such as a first address, an SA id, and a security parameter. The security parameter is a parameter required for the first device to execute a first security process and for the second device to execute a second security process, and the first security process needs to be implemented using a security process algorithm. Therefore, the security parameters include information such as a security processing algorithm and parameters required for the security processing algorithm. Wherein the security parameter is a parameter specified by the security policy and is a parameter supported by both the security capability of the first device and the capability of the second device.

In some embodiments, the first SA information further includes one or more of the following: the aging duration of the first SA information, the security mode corresponding to the first SA information and the like. The security mode includes an authentication mode and/or an encryption mode, etc. The aging duration is a valid length of time for which the first SA information exists.

For example, taking the first security process as the encryption process and the second security process as the decryption process as an example, the first SA information includes the first address "192.168.1.4", the SA identification "ID-SA1", the security parameter, the aging period "24 hours", and the encryption mode. The security parameters include an encryption/decryption algorithm and a key "secret key" required by the encryption/decryption algorithm. The first SA information indicates that the first device encrypts a packet sent by the first device to the second device using the encryption/decryption algorithm, and the second device decrypts the packet using the encryption/decryption algorithm when receiving the packet.

For the attribute information corresponding to the first SA information, the attribute information includes one or more data plane security protocols capable of using the first SA information.

In some embodiments, the attribute information further includes a source of the first SA information. The source of the SA information refers to the producer of the SA. For example, in this embodiment, the source of the first SA information is the third device.

In step 504, the SA information and the attribute information corresponding to the SA information are generated by the following operations 5041 to 5044. The operations of 5041-5044 are respectively:

5041: the third device obtains a protocol set based on the first device information, the second device information and the security requirement information, where the protocol set is an intersection of the data plane security protocol supported by the first device, the data plane security protocol supported by the second device and the data plane security protocol indicated by the security requirement information.

At 5041, the third device obtains, from the received device information, first device information including the second address and second device information including the first address based on the first address and the second address in the security policy. The third device determines at least one data plane security protocol supported by the first device based on the protocol identification of the at least one data plane security protocol supported by the first device, which is included in the first device information. And determining at least one data plane security protocol supported by the second device based on the protocol identification of the at least one data plane security protocol supported by the second device, which is included in the second device information. And determining the target data plane security protocol indicated by the security requirement information based on the protocol identifier of the target data plane security protocol included in the security requirement information. And intersecting at least one data plane security protocol supported by the first device, at least one data plane security protocol supported by the second device and a target data plane security protocol indicated by the security requirement information to obtain a protocol set.

For example, the third device acquires the first device information including "192.168.178.5" based on the second address "192.168.178.5" and acquires the second device information including "192.168.1.4" based on the first address "192.168.178.4". And determining that the data plane security protocol supported by the first device is the MAC Sec based on the protocol identifier 'ID-MAC' included in the first device information. And determining that the data plane security protocol supported by the second device is MACSec based on the protocol identification 'ID-MAC' included in the second device information. And determining that the target data plane security protocol comprises MACSec and SRv6Sec based on the protocol identifications 'ID-MAC' and 'ID-SRv 6' of the target data plane security protocol. And performing intersection on the MACSec supported by the first equipment, the MACSec supported by the second equipment and the target data plane security protocols MACSec and SRv6Sec to obtain a protocol set, wherein the protocol set comprises the MACSec.

5042: the third device obtains an algorithm set based on the first device information and the second device information, where the algorithm set is an intersection of a security processing algorithm supported by the first device and a security processing algorithm supported by the second device.

The third device determines at least one security processing algorithm supported by the first device based on the algorithm identification of the at least one security processing algorithm supported by the first device, which is included in the first device information. And determining at least one safety processing algorithm supported by the second equipment based on the algorithm identification of the at least one safety processing algorithm supported by the second equipment, which is included in the second equipment information. And intersecting at least one security processing algorithm supported by the first device with at least one security processing algorithm supported by the second device to obtain an algorithm set.

For example, the ENcryption/decryption algorithm ENcryption supported by the first device is determined based on the algorithm identifier "ID-MACEncy" included in the first device information, and the ENcryption/decryption algorithm ENcryption supported by the second device is determined based on the algorithm identifier "ID-MACEncy" included in the second device information. And intersecting the Encryption and decryption algorithm Encryption supported by the first device and the Encryption and decryption algorithm Encryption supported by the second device to obtain an algorithm set, wherein the algorithm set comprises the Encryption and decryption algorithm Encryption.

The execution sequence between operations 5041 and 5042 is not sequential, i.e., 5041 is executed first and 5042 is executed second, 5042 is executed first and 5041 is executed second, or 5042 and 5041 are executed simultaneously.

5043: the third device generates at least one SA message based on the set of protocols, the set of algorithms, and the target security process indicated by the security requirement message.

At 5043, the third device determines a target security process corresponding to the target security process type, selects one or more security process algorithms from the set of algorithms that implement the target security process, and the data plane security protocol corresponding to each selected security process algorithm is a protocol in the cooperating set. Configuring parameters required by the safety processing algorithm based on the selected safety processing algorithm to obtain safety parameters, wherein the safety parameters comprise the safety processing algorithm and the parameters required by the safety processing algorithm. And allocating the SA identifier, thus obtaining SA information which comprises the first address, the SA identifier and the security parameter.

In some embodiments, the third device further assigns an aging duration to the SA information, and/or determines a security mode based on the target security process, and the SA information further includes the aging duration and/or the security mode.

For example, to cite an example of generating SA information, the target security processing type includes Encryption, and from the Encryption/decryption algorithm Encryption included in the set of algorithms, the Encryption/decryption algorithm Encryption that implements the Encryption is selected. And configuring a key secret key required by the Encryption and decryption algorithm Encryption based on the Encryption and decryption algorithm Encryption. And allocating an SA identifier as ID-SA1, allocating the aging time as 24 hours, and encrypting the security mode determined based on the target security processing type to obtain SA information. The SA information includes a first address "192.168.1.4", an SA identification "ID-SA1", a security parameter, an aging period "24 hours", and an encryption pattern. The security parameters include Encryption/decryption algorithm Encryption and key secret key.

At 5043, the third device selects a security processing algorithm from the set of algorithms a plurality of times, and the security processing algorithm selected each time is different, such that a plurality of SA information may be generated.

5044: and the third equipment respectively generates attribute information corresponding to each SA information based on each safety processing algorithm in each SA information.

For each SA message, the attribute message corresponding to the SA message includes a data plane security protocol corresponding to each security processing algorithm in the SA message, and the data plane security protocol in the attribute message is a protocol in the protocol set.

For example, for the above listed example, it is assumed that the data plane security protocol corresponding to the Encryption/decryption algorithm Encryption included in the SA information is MACSec, and the MACSec belongs to a protocol in the algorithm set, so that the attribute information corresponding to the SA information includes MACSec.

In some embodiments, the attribute information corresponding to each SA information further includes a source type, and the source type is a device type of the third device.

Step 505: the third device saves the at least one SA information in the first SA database and saves the at least one SA information in the second SA database.

In some embodiments, the third device further generates attribute information corresponding to the at least one SA information, and the third device stores each SA information and the attribute information corresponding to each SA information in the first SA database, and stores each SA information and the attribute information corresponding to each SA information in the second SA database.

For the case that the first SA database is located in the first device, the third device saves each SA information and the attribute information corresponding to each SA information to a first SA database (e.g., the first SA database 103 in fig. 4, 5, or 6) in the first device through a write (write) interface based on the second address included in the security policy. And when the second SA database is positioned in the second device, the third device stores each piece of SA information and attribute information corresponding to each piece of SA information to a second SA database (such as the second SA database 104 in FIG. 4, FIG. 5 or FIG. 6) in the second device through a write interface based on the first address included in the security policy.

And for the case that the first SA database and the second SA database are the same SA database and are located in the storage device, the third device determines the SA databases bound with the first address and the second address on the storage device based on the first address and the second address included in the security policy, and stores each piece of SA information and the attribute information corresponding to each piece of SA information to the SA databases through the write interface.

For example, in the above enumerated example, the SA information generated by the third device includes the first address "192.168.1.4", the SA identification "ID-SA1", the security parameters (Encryption/decryption algorithm Encryption and key "secret key"), the aging period "24 hours", and the Encryption pattern, and the generated attribute information corresponding to the SA information includes MACSec. The third device saves the SA information and the attribute information in the first SA database and/or the second SA database, as shown in table 1 below.

TABLE 1

For a device (first device, second device, or storage device) where the first SA database or the second SA database is located, when a storage duration of certain SA information in the device exceeds an aging duration included in the SA information, for convenience of description, the SA information is also referred to as first SA information, and the device sends a notification event to a third device, where the notification event includes an SA identifier of the first SA information. The third device receives the notification event, generates second SA information, where the address included in the first SA information is the same as the address included in the second SA information, the SA identifier included in the first SA information may be the same as or different from the SA identifier included in the second SA information, and the security parameter included in the first SA information is different from the security parameter included in the second SA information. And the third equipment updates the first SA information in the first SA database and/or the second SA database into the second SA information.

The security parameters in the first SA information comprise a security processing algorithm and first parameters required by the security processing algorithm, the security parameters in the second SA information comprise a security processing algorithm and second parameters required by the security processing algorithm, the security processing algorithms in the two security parameters are the same, and the first parameters and the second parameters are different.

In some embodiments, the network management can also configure the SA information and the attribute information corresponding to the SA information in the first SA database and/or the second SA database, where the attribute information includes a source configured by the network management.

In this embodiment of the present application, after the third device generates SA information, the SA information is stored in the first SA database or the second SA database, so that when the first device establishes a connection with the second device and needs to send data to the second device, the first device may obtain the SA information from the first SA database, perform the first security processing on the data using the SA information, and the second device obtains the SA information from the second SA database, and perform the second security processing on the received data using the SA information. Therefore, the first device and the second device do not need to negotiate the SA information after establishing the connection each time, so that the safety processing efficiency is improved, and the expenditure of network resources is saved. In addition, the third device generates the SA information and the attribute information corresponding to the SA information in a unified manner, so that the first device and the second device do not need to generate, and the computing resources of the first device and the second device are saved. Because the attribute information corresponding to the SA information comprises one or more data plane security protocols capable of using the SA information, a data plane security processing module corresponding to the one or more data plane security protocols can use the SA information, so that the negotiation management of the SA information of the control plane and the use of the SA information of the data plane are unbound, the management of the network security protocols is simplified, and the expansibility is improved.

For the distributed manner, the distributed manner is applied to the network architecture 100 shown in fig. 4 or fig. 7, and fig. 9 illustrates the distributed manner in detail by taking the first device and the second device to negotiate to generate SA information as an example. In the method shown in fig. 9, the first negotiation device is a negotiation module in the first device, the second negotiation device is a negotiation module in the second device, and the negotiation module in the first device and the negotiation module in the second device negotiate to generate SA information required by the first device and the second device (as shown in fig. 7). For simplicity, the negotiation body is described by the first device and the second device.

Referring to fig. 9, the distributed mode is realized by the following flow of steps 601 to 608 when realized.

Step 601: the first device obtains a security policy between the first device and the second device, the security policy indicating a target security process and a target data plane protocol.

In some embodiments, the security policy includes a first address, a second address, and security requirement information, the first address is an address of the second device, the second address is an address of the first device, and the security requirement information includes a processing type of the target security process and a protocol identifier of the target data plane security protocol.

Optionally, in some embodiments, the first device displays an input interface, and the network administrator inputs the security policy in the input interface displayed by the first device. The first device obtains the security policy from the input interface.

Optionally, in some embodiments, the network management personnel inputs the security policy on the network management device corresponding to the network management personnel, the network management device sends the security policy to the first device, and the first device receives the security policy.

Optionally, in some embodiments, the second device also obtains the security policy in the same way as the first device obtains the security policy, and thus, the details are not described here.

Step 602: the second device reports to the first device security capabilities of the second device, the security capabilities including at least one security processing algorithm supported by the second device and/or at least one data plane security protocol supported by the second device.

In step 602, the second device reports the security capabilities of the second device to the first device in the following two ways. The two modes are respectively as follows:

in the first mode, the second device sends second device information to the first device, where the second device information includes an algorithm identifier of at least one security processing algorithm supported by the second device and/or a protocol identifier of at least one data plane security protocol supported by the second device.

In a second mode, the second device obtains a second algorithm set based on the security policy, where the second algorithm set includes an intersection of at least one data plane security protocol supported by the second device and a target data plane security protocol indicated by the security requirement information, and sends, to the first device, the second protocol set and an algorithm identifier of at least one security processing algorithm supported by the second device.

Wherein the first device also performs the operation of step 602 as the second device, i.e. the first device reports the security capability of the first device to the second device.

Step 603: the first device obtains the security capability of the second device, and obtains the first protocol set and the algorithm set based on the security capability of the second device.

In some embodiments, the first device receives the second device information, and determines the at least one data plane security protocol supported by the second device based on the protocol identification of the at least one data plane security protocol supported by the second device, which is included in the second device information. And determining the target data plane security protocol based on the protocol identification of the target data plane security protocol included in the security policy. And intersecting at least one data plane security protocol supported by the first device, at least one data plane security protocol supported by the second device and a target data plane security protocol to obtain a first protocol set. And determining at least one safety processing algorithm supported by the second equipment based on the algorithm identification of the at least one safety processing algorithm supported by the second equipment, which is included in the second equipment information. And intersecting at least one security processing algorithm supported by the second equipment with at least one security processing algorithm supported by the first equipment to obtain an algorithm set.

Optionally, in some embodiments, the first device receives the second set of protocols and an algorithm identification of at least one secure processing algorithm supported by the second device; and intersecting at least one data plane security protocol supported by the first device with the second protocol set to obtain a first protocol set. Determining at least one security processing algorithm supported by the second device based on the algorithm identification of the at least one security processing algorithm supported by the second device, and intersecting the at least one security processing algorithm supported by the second device with the at least one security processing algorithm supported by the first device to obtain an algorithm set.

Then, the first device generates at least one SA message and attribute information corresponding to each SA message based on the first set of capabilities, the set of algorithms, and the security policy, as follows.

Step 604: the first device allocates an SA identifier, and generates a security parameter based on the first protocol set, the algorithm set and a target security process indicated by the security policy.

In step 604, the first device also generates attribute information. When the method is implemented, the first device determines a target security process corresponding to a process type based on the process type of the target security process included in the security policy, selects one or more security process algorithms for implementing the target security process from the algorithm set, and a data plane security protocol corresponding to the selected security process algorithm is a protocol in the first protocol set. Configuring parameters required by the safety processing algorithm based on the selected safety processing algorithm to obtain safety parameters, wherein the safety parameters comprise the safety processing algorithm and the parameters required by the safety processing algorithm. And distributing an SA identifier, and generating attribute information based on the first protocol set and the security processing algorithm, wherein the attribute information comprises a data plane security protocol corresponding to the security processing algorithm, and the data plane security protocol in the attribute information is a protocol in the first protocol set.

Step 605: the first device sends a confirmation request to the second device, the confirmation request including the SA identification and the security parameters.

In some embodiments, the confirmation request further includes the attribute information.

Step 606: and the second equipment receives the confirmation request, confirms the SA identifier and the security parameters, and sends a confirmation response to the first equipment after the confirmation is passed.

After the second device confirms that the first address (the address of the second device itself) passes, the second device acquires the SA information, wherein the SA information comprises the first address, the SA identifier and the security parameters.

When the confirmation request further includes the attribute information, the second device takes the attribute information as the attribute information corresponding to the SA information.

When a second SA database (e.g., the second SA database 104 shown in fig. 7) is located in the second device, the second device stores the SA information to the second SA database in the second device through the write interface, or stores the SA information and attribute information corresponding to the SA information.

Step 607: the first device receives the confirmation response, and based on the confirmation response, obtains the SA information, wherein the SA information comprises the first address, the SA identifier and the security parameters.

When the first device also generates the attribute information, the first device takes the attribute information as the attribute information corresponding to the SA information.

The second device may also perform the processes of 603-607 described above to generate the SA information and the attribute information corresponding to the SA information.

Step 608: the first device saves the SA information to a first SA database.

When the first device further generates attribute information corresponding to the SA information, the first device stores the SA information and the attribute information corresponding to the SA information in a first SA database (e.g., the first SA database 103 shown in fig. 7).

And when the first SA database is positioned in the first equipment, the first equipment stores the SA information and the attribute information corresponding to the SA information to the first SA database in the first equipment through a write interface.

And the first device determines the SA databases bound with the first address and the second address on the storage device based on the first address and the second address included in the security policy, and stores the SA information and the attribute information corresponding to the SA information to the SA databases through a write interface.

For a certain SA information in the first SA database, when the storage duration of the SA information in the first SA database exceeds the aging duration included in the SA information, for convenience of description, the SA information is also referred to as first SA information, the first device generates second SA information, an address included in the first SA information is the same as an address included in the second SA information, a security parameter included in the first SA information is different from a security parameter included in the second SA information, and an SA identifier included in the first SA information may be the same as or different from an SA identifier included in the second SA information. The first device updates the first SA information in the first SA database to the second SA information, and simultaneously informs the second device to update the first SA information in the second SA database to the second SA information. Similarly, when the storage duration of a certain SA information in the second SA database exceeds the aging duration included in the SA information, the second device performs the above operation as the first device.

The above is merely an example of implementing distributed generation of SA information, and other implementation examples are possible in addition to the above-described example. For example, the network architecture 100 as shown in fig. 7 includes the first device and the first negotiation device being two different devices, the second device and the second negotiation device being two different devices, the first negotiation device communicating with the first device and the second negotiation device, the second negotiation device also communicating with the second device. The first device reports the security capability of the first device to the first negotiation device, and the second device reports the security capability of the second device to the second negotiation device.

Thus, the first negotiation device obtains the security capability of the first device, and the second negotiation device obtains the security capability of the second device. Then, the first device in the above steps 601-608 is replaced by a first negotiation device, the second device is replaced by a second negotiation device, and the first negotiation device and the second negotiation device generate the SA information and the attribute information corresponding to the SA information according to the flow of the above steps 601-608.

In this embodiment of the present application, after a first device and a second device negotiate to generate SA information, the first device stores the SA information in a first SA database, and the second device stores the SA information in a second SA database, so that when the first device establishes a connection with the second device and needs to send data to the second device, the first device may obtain the SA information from the first SA database, perform a first security process on the data using the SA information, and the second device obtains the SA information from the second SA database, and perform a second security process on the received data using the SA information. Therefore, the first device and the second device do not need to negotiate the SA information after establishing the connection each time, thereby improving the safety processing efficiency and saving the expenditure of network resources. In addition, the first device and the second device generate the SA information and the attribute information corresponding to the SA information in a distributed mode, so that a third device does not need to be separately deployed to generate the SA information, and the cost is saved. Because the attribute information corresponding to the SA information comprises one or more data plane security protocols capable of using the SA information, the data plane security processing module corresponding to the one or more data plane security protocols can use the SA information, so that the negotiation management of the control plane SA information and the use of the data plane SA information are unbound, the management of the network security protocol is simplified, and the expansibility is improved.

After the SA information is stored in the first SA database (e.g., the first SA database 103 shown in fig. 4, 5, 6, or 7) and/or the second SA database (e.g., the second SA database 104 shown in fig. 4, 5, 6, or 7), the SA information in the first SA database or the second SA database can be used to perform security processing on the message sent by the first device to the second device.

Alternatively, the SA information in the first SA data or the second database is generated by the method 500 shown in fig. 8, or generated by the method 600 shown in fig. 9.

Optionally, refer to the embodiment shown in fig. 10 and/or the embodiment shown in fig. 11 below for a detailed processing procedure of processing a message.

Referring to fig. 10, an embodiment of the present application provides a method 700 for processing a packet, where the method 700 is applied to the network architecture 100 shown in fig. 4, fig. 5, or fig. 6, and includes steps 701 to 704.

Step 701: a first data plane security processing module in the first device acquires m pieces of SA information from a first SA database based on the first address, wherein m is a natural number which is greater than 0 and less than or equal to N.

The first data security processing module is any data surface security processing module in the first device, and the first address is an address of the second device.

Step 702: a first data plane security processing module in first equipment acquires a message to be sent, and a destination address of the message to be sent is a first address.

The message to be sent is a message received by the first device or a message generated by the first device.

Step 703: and a first data plane security processing module in the first device performs first security processing on the payload of the message to be sent based on the security parameters included in the m pieces of SA information, and adds the SA identifiers of the m pieces of SA information in the processed message to be sent to obtain a first message, wherein the payload of the first message is the payload after the first security processing.

Step 704: the communication interface of the first device sends the first message to the second device.

In this embodiment, since the first SA database is an SA database shared by at least one data plane security processing module of the first device, the data plane security processing module in the first device can access the first SA database. Thus, the data plane security processing module in the first device obtains the m SA information from the first SA database based on the first address, and performs the first security processing on the payload of the packet to be sent by using the m SA information. In a conventional scheme, after an original communication connection between a first device and a second device is disconnected, when the connection is reestablished and data needs to be sent, both the first device and the second device need to renegotiate to generate an SA for performing security processing on the data. According to the scheme provided by the embodiment of the application, after the first device establishes connection with the second device every time and needs to send data, the first device and the second device do not need to negotiate to generate SA information, the first device obtains m pieces of SA information from the first SA database based on the first address, and the message to be sent is safely processed through the m pieces of SA information, so that the safety processing efficiency is improved, and the expenditure of network resources is saved.

With respect to the method 700 shown in fig. 10, the following description of the embodiments of the present application refers to the network architecture 100 shown in fig. 4-7, and each step in the method 700 is described.

Optionally, for step 701, the first SA database includes a corresponding relationship between the SA information and the attribute information, and the first data plane security processing module obtains m SA information from the first SA database based on the first address and the filtering condition.

Each piece of SA information in the m pieces of SA information includes a first address, the filtering condition includes a data plane security protocol required by the first data plane security processing module, and the attribute information corresponding to the m pieces of SA information satisfies the filtering condition.

Because the filtering condition comprises the data plane security protocol required by the first data plane security processing module, the SA information corresponding to the data plane security protocol required by different data plane security processing modules can be obtained from the first SA database, so that the use of the SA information and the negotiation management of the SA information are understood and bound, the management of the network security protocol is simplified, and the expansibility is improved.

Optionally, in some embodiments, the attribute information corresponding to the SA information satisfies the filtering condition: the attribute information corresponding to the SA information includes a data plane security protocol required by the first data plane security processing module in the filter condition.

In step 701, the first device extracts a destination address from the message to be sent as a first address when receiving the message to be sent, or receives a processing event, where the processing event includes the first address. After the first address is obtained, m pieces of SA information are acquired based on the first address and the filter condition.

The first device can acquire m pieces of SA information in advance based on the first address in the processing event, so that when the first device receives the message with the destination address as the first address, the m pieces of SA information are directly used for carrying out safety processing on the message, and the safety processing efficiency is further improved.

Optionally, in some embodiments, the processing event may be sent by the network management device, and when the network management device needs the first device and the second device to perform security processing on a packet sent by the first device to the second device, the network management device uses an address of the second device as the first address, and sends the processing event including the first address to the first device. The first device acquires the m pieces of SA information, and when receiving a message with a first destination address, the first device performs first security processing on the message by using the m pieces of SA information.

Optionally, in some embodiments, the filtering condition includes one or more data plane security protocols, where the one or more data plane security protocols are data plane security protocols corresponding to the first data plane security processing module, or are determined by the first data plane security processing module itself.

The data plane security protocol in the filtering condition corresponds to the first data plane security processing module, or the first data plane security processing module determines based on its own internal logic, so as to enrich the way of obtaining the filtering condition.

The data plane security protocols in the filter criteria include, but are not limited to, one or more of: MACSec, IPSec, SRv6Sec, or SSL, etc.

Optionally, in some embodiments, the filter condition further includes a source of SA information required by the first data plane security processing module. In step 701, the first data plane security processing module obtains m SA information from the first SA database according to the first address, the data plane security protocol required by the first data plane security processing module included in the filter condition, and the source of the SA information required by the first data plane security processing module.

In some scenarios, the first data plane security processing module has a requirement on the source of the SA information, and the filtering condition includes the source of the SA information required by the first data plane security processing module, so that the SA information meeting the requirement of the first data plane security processing module can be acquired.

Optionally, in step 701, the first data plane security processing module may first acquire x pieces of SA information from the first SA database, where x is a natural number greater than or equal to m and less than or equal to N; then m pieces of SA information are selected from the x pieces of SA information based on a random manner or a polling manner.

The first data plane security processing module can acquire more than m SA information, that is, x SA information, from the first SA database, so that whenever the first data plane security processing module needs to send a packet with a destination address as the first address, m SA information is selected from the x SA information based on a random manner or a polling manner. Therefore, the first data plane security processing module does not need to frequently query the first SA database, the consumption of computing resources is reduced, and the security processing efficiency is improved.

Optionally, in some embodiments, the first data plane security processing module obtains the m SA information from the first SA database through the common interface.

In some embodiments, the common interface includes a publish/subscribe (Pub/Sub) interface, or the like.

For example, suppose that the communication interface of the first device receives a message to be sent, the destination address of the message to be sent is 192.168.1.4, and the data plane security protocol required by the first data plane security processing module is MACSec, that is, the filtering condition includes MACSec. Based on the first address and the filtering condition, SA information is obtained from the first SA database shown in table 1, the attribute information corresponding to the SA information includes MACSec in the filtering condition, and the SA information includes an address "192.168.1.4", an SA identifier "ID-SA1", security parameters (Encryption/decryption algorithm Encryption and key ", secret key"), an aging duration "24 hours", and an Encryption mode.

For the above step 703: for each SA information in the m SA information, the SA information includes contents such as a security processing algorithm and a parameter required by the security processing algorithm, and the first data plane security processing module invokes the security processing algorithm from the first device, and performs first security processing on a packet to be transmitted through the security processing algorithm based on the parameter.

Optionally, in some embodiments, the first data plane security processing module performs first security processing on a payload of a message to be sent, replaces the payload in the message to be sent with the processed payload, and adds the SA identifiers of the m SA information in the message to be sent to obtain the first message. For example, the first security processing is encryption processing, the first data plane security processing module encrypts a payload of a message to be sent, replaces the payload of the message to be sent with a ciphertext obtained after the processing, and adds the SA identifiers of the m SA information in the message to be sent to obtain the first message.

Optionally, in some embodiments, the first data plane security processing module performs first security processing on a payload of the message to be sent, and adds a result obtained by the processing and the SA identifiers of the m SA information in the message to be sent, so as to obtain the first message. For example, the first security processing is authentication processing, the first data plane security processing module calculates an information digest of a payload of a message to be sent, and adds the information digest and SA identifiers of the m SA information to the message to be sent, so as to obtain the first message.

For example, the SA information acquired by the first data plane security processing module includes an SA identifier "ID-SA1" and a security parameter (Encryption/decryption algorithm Encryption and key "secret key"). The first data plane security processing module encrypts a payload in a message to be sent through an Encryption and decryption algorithm Encryption based on a secret key, the processed payload is a ciphertext, the ciphertext replaces the payload in the message to be sent, and an SA identifier ID-SA1 is added to the message to be sent to obtain a first message. The communication interface of the first device sends the first message to the second device.

In this embodiment of the present application, since the first SA database is a database shared by at least one data plane security processing module of the first device, the data plane security processing module in the first device can access the first SA database. And because the attribute information corresponding to each SA information in the first SA database includes one or more data plane security protocols, the data plane security processing module in the first device obtains m SA information from the first SA database based on the first address and the data plane security protocol in the filtering condition, and performs the first security processing on the payload of the packet to be sent using the m SA information. In this way, each SA information in the first SA database is unbound from the network security protocol, and each data plane security processing module in the first device can acquire the SA information from the first SA database, that is, unbound between negotiation management of the control plane SA information and use of the data plane SA information, so that management of the network security protocol is simplified, and extensibility is improved, thereby adding new encryption characteristics to the datagram plane, such as adding SRv6sec and/or double encryption.

Referring to fig. 11, an embodiment of the present application provides a method 800 for processing a packet, where the method 800 is applied to the network architecture 100 shown in fig. 4, fig. 5, or fig. 6, and includes steps 801 to 803.

Step 801: and the communication interface of the second equipment receives a first message, wherein the first message comprises m SA identifiers and a payload.

For example, the communication interface of the second device receives a first packet, which includes an SA identification "ID-SA1" and a ciphertext, which is a payload of the first packet.

Step 802: and the first data plane security processing module of the second device acquires m pieces of SA information corresponding to the m pieces of SA identifiers from the second SA database based on the m pieces of SA identifiers.

And at least one data plane safety processing module in the second equipment comprises a first data plane safety processing module.

In step 802, the first data plane security processing module of the second device obtains m SA information corresponding to the m SA identifiers from the second SA database through the common interface.

In some embodiments, the common interface comprises a Pub/Sub interface or the like.

For example, the first data plane security processing module obtains SA information from the second SA database as shown in table 1 based on the SA identifier "ID-SA1", the SA information including the address "192.168.1.4", the SA identifier "ID-SA1", security parameters (Encryption/decryption algorithm Encryption and key "secret key"), the aging period "24 hours", and the Encryption mode.

Step 803: and the first data plane security processing module of the second device performs second security processing on the payload of the first message based on the security parameters included in the m pieces of SA information.

For each SA information in the m SA information, the security parameters in the SA information include a security processing algorithm and parameters and the like required by the security processing algorithm, and the first data plane security processing module performs second security processing on the payload of the first packet through the security processing algorithm based on the parameters.

For example, the first data plane security processing module decrypts a ciphertext in the first message by using an Encryption and decryption algorithm Encryption based on the key "secret key" to obtain a plaintext.

In this embodiment of the present application, since the second SA database is an SA database shared by at least one data plane security processing module of the second device, the data plane security processing module in the second device can access the second SA database. In this way, the data plane security processing module in the second device obtains m SA information from the second SA database based on the m SA identifiers, so that the m SA information is used to perform the second security processing on the payload of the first packet. Therefore, when the second device establishes connection with the first device and receives the first message each time, the first device acquires the SA information from the SA database and processes the first message by using the SA information, and the first device and the second device do not need to negotiate to generate the SA information first, so that the safety processing efficiency is improved, and the expenditure of network resources is saved. In addition, the second SA database is used for realizing the binding between the negotiation management of the SA information and the use and unbinding of the SA information, so that the management of a network security protocol is simplified, and the expansibility is improved.

Referring to fig. 12, an embodiment of the present application provides an apparatus 900 for processing a packet. Optionally, the apparatus 900 is applied in the network architecture 100 as shown in fig. 4, fig. 5, fig. 6 or fig. 7. Optionally, the device 900 is a first device provided in any of the above embodiments, for example, the first device 101 in the network architecture 100 shown in fig. 4, fig. 5, fig. 6, or fig. 7, the first device in the method 500 shown in fig. 8, the first device in the method 600 shown in fig. 9, or the first device in the method 700 shown in fig. 10. The apparatus 900 comprises: a processor 901, memory 902 and internal connections 903.

The processor 901 and the memory 902 are connected via an internal connection 903, the memory 902 having an operating system and program code stored therein, the at least one processor 901 reading the operating system from the memory 902 and running the operating system. Optionally, internal connection 903 comprises a bus.

At least one processor 901 reads the program code from the memory 902 and processes the message by running the program code in the operating system.

Optionally, the device 900 further comprises a network interface 904, the network interface 904 being connected to the processor 901 and the memory 902 via an internal connection 903. The network interface 904 is capable of communicating with the second device 102 in the network architecture 100 shown in fig. 4, 5, 6 or 7, or the network interface 904 is capable of communicating with the third device 105 in the network architecture 100 shown in fig. 5 or 6, or the network interface 904 is capable of communicating with the first negotiation device 106 in the network architecture 100 shown in fig. 7.

Optionally, the detailed implementation process of the processor 901 for processing the message may refer to relevant contents in the embodiment shown in fig. 10, and is not described in detail here.

Optionally, the device 900 further comprises an input device 905, the input device 905 being connected to the internal connection 903. The processor 901 can receive input commands or data or the like through the input device 905.

Optionally, the device 900 further includes a display device 906, and the display device 906 can be used for displaying intermediate results and/or final results of the message flow processed by the processor 901.

Alternatively, the processor 901 may be a general processing unit (CPU), a Network Processor (NP), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the program according to the present disclosure.

The internal connections 904 include a path for passing information between the components. Alternatively, the internal connection 904 may be a single board or a bus, etc.

The memory 902 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disk read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be separate and coupled to the processor via a bus. The memory may also be integral to the processor.

In one implementation, processor 901 may include one or more CPUs, such as CPU0 and CPU1 in fig. 12, as an example.

In one implementation, the detection device 900 may include multiple processors, such as the processor 901 and the processor 907 of fig. 12, for example, as an example. Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores that process data, such as computer program instructions.

In the above embodiments, the flow of processing the message may be wholly or partially implemented by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented wholly or partly in the form of a computer program product, for example, a piece of software for processing messages for installation in the first device 101 shown in fig. 4, 5, 6 or 7.

The computer program product includes one or more computer instructions. The procedures or functions described in connection with the embodiments of the invention may be embodied in whole or in part when the computer program instructions are loaded into and executed by a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic or optical disk, or the like. The computer instructions may be transmitted to or from one computer-readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), among others.

Referring to fig. 13, an embodiment of the present application provides an apparatus 1000 for processing a packet. Optionally, the apparatus 1000 is applied in a network architecture 100 as shown in fig. 4, fig. 5, fig. 6 or fig. 7. Optionally, the device 1000 is a second device provided in any of the above embodiments, for example, the second device 102 in the network architecture 100 shown in fig. 4, fig. 5, fig. 6, or fig. 7, the second device in the method 500 shown in fig. 8, the second device in the method 600 shown in fig. 9, or the second device in the method 800 shown in fig. 11. The apparatus 1000 comprises: a processor 1001, memory 1002, and internal connections 1003.

The processor 1001 and the memory 1002 are connected via an internal connection 1003, the memory 1002 having an operating system and program codes stored therein, the at least one processor 1001 reading the operating system from the memory 1002 and running the operating system. Optionally, internal connection 1003 comprises a bus.

At least one processor 1001 reads program codes from the memory 1002 and processes messages by running the program codes in the operating system.

Optionally, the apparatus 1000 further comprises a network interface 1004, and the network interface 1004 is connected to the processor 1001 and the memory 1002 through an internal connection 1003. The network interface 1004 is capable of communicating with the first device 101 in the network architecture 100 shown in fig. 4, 5, 6 or 7, or the network interface 1004 is capable of communicating with the third device 105 in the network architecture 100 shown in fig. 5 or 6, or the network interface 1004 is capable of communicating with the second negotiation device 107 in the network architecture 100 shown in fig. 7.

Optionally, the detailed implementation process of the processor 1001 for processing the message may refer to relevant contents in the embodiment shown in fig. 11, and will not be described in detail here.

Optionally, the device 1000 further comprises an input device 1005, the input device 1005 being connected to the internal connection 1003. The processor 1001 can receive an input command or data or the like through the input device 1005.

Optionally, the device 1000 further includes a display device 1006, and the display device 1006 can be configured to display an intermediate result and/or a final result of the message processing flow executed by the processor 1001.

Alternatively, the processor 1001 may be a general processing unit (CPU), a Network Processor (NP), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the program according to the present disclosure.

The internal connections 1004 include a path for passing information between the components. Alternatively, the internal connection 1004 may be a single board or a bus, etc.

The memory 1002 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be separate and coupled to the processor via a bus. The memory may also be integral to the processor.

In a specific implementation, processor 1001 may include one or more CPUs, such as CPU0 and CPU1 in fig. 13, as an example.

In one implementation, the detection device 1000 may include multiple processors, such as the processor 1001 and the processor 1007 in fig. 13, for example. Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).

In the above embodiments, the process of detecting the file to be detected may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product, for example, a piece of software for processing messages for installation on the second device 102 shown in fig. 4, 5, 6 or 7.

The computer program product includes one or more computer instructions. The procedures or functions described in connection with the embodiments of the invention may be embodied in whole or in part by loading and executing the computer program instructions on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic or optical disk, or the like. The computer instructions may be transmitted to or from one computer-readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), among others.

Referring to fig. 14, an embodiment of the present application provides an apparatus 1100 for acquiring SA information of a security association. Optionally, the device 1100 is applied in a network architecture 100 as shown in fig. 4, 5, 6 or 7. Optionally, the device 1100 is the first device, the second device, the third device, the first negotiation device, or the second negotiation device provided in any of the above embodiments, for example, the first device 101 or the second device 102 in the network architecture 100 shown in fig. 4, fig. 5, fig. 6, or fig. 7, the third device in the method 500 shown in fig. 8, the first device in the method 600 shown in fig. 9, the third device 105 in the network architecture 100 shown in fig. 5 or fig. 6, or the first negotiation device 106 or the second negotiation device 107 in the network architecture 100 shown in fig. 7. The apparatus 1100 comprises: a processor 1101, a memory 1102 and internal connections 1103.

The processor 1101 and the memory 1102 are connected via an internal connection 1103, the memory 1102 having stored therein an operating system and program codes, the at least one processor 1101 reading the operating system from the memory 1102 and running the operating system. Optionally, internal connection 1103 comprises a bus.

The at least one processor 1101 reads the program code from the memory 1102, and acquires the SA information by running the program code in the operating system.

Optionally, the device 1100 further comprises a network interface 1104, and the network interface 1104 is connected to the processor 1101 and the memory 1102 through the internal connection 1103. The network interface 1104 is capable of communicating with the first device 101 or the second device 102 in the network architecture 100 shown in fig. 4, 5, 6, or 7.

Optionally, the detailed implementation process of the processor 1101 for obtaining the SA information may refer to relevant contents in the embodiment shown in fig. 8 or fig. 9, and will not be described in detail here.

Optionally, the device 1100 further comprises an input device 1105, the input device 1105 being connected to the internal connection 1103. The processor 1101 can receive input commands or data or the like through the input device 1105.

Optionally, the apparatus 1100 further comprises a display device 1106, and the display device 1106 can be used for displaying intermediate results and/or final results of the process of obtaining SA information performed by the processor 1101, and the like.

Alternatively, the processor 1101 may be a general processing unit (CPU), a Network Processor (NP), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of programs according to the present disclosure.

The internal connections 1104 include a path for passing information between the components. Alternatively, the internal connection 1104 may be a single board or a bus, etc.

The memory 1102 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that may store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that may store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be separate and coupled to the processor via a bus. The memory may also be integral to the processor.

In a particular implementation, processor 1101 may include one or more CPUs, such as CPU0 and CPU1 in fig. 14, as an example.

In particular implementations, detection device 1100 may include multiple processors, such as processor 1101 and processor 1107 of FIG. 14, for example, as an example. Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).

In the above embodiments, the process of detecting the file to be detected may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product, for example, a software for acquiring SA information to be installed in the first device 101 or the second device 102 shown in fig. 4, 5, 6, or 7, or in the third device shown in fig. 5 or 6, or in the first negotiation device or the second negotiation device shown in fig. 7.

The computer program product includes one or more computer instructions. The procedures or functions described in connection with the embodiments of the invention may be embodied in whole or in part by loading and executing the computer program instructions on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic or optical disk, or the like. The computer instructions may be transmitted to or from one computer-readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), among others.

Referring to fig. 15, an embodiment of the present application provides an apparatus 1200 for processing a packet. Optionally, the apparatus 1200 is applied in the network architecture 100 as shown in fig. 4, fig. 5, fig. 6 or fig. 7. Optionally, the apparatus 1200 is deployed on a first device provided in any of the above embodiments, for example, the first device 101 in the network architecture 100 shown in fig. 4, fig. 5, fig. 6, or fig. 7, the first device in the method 500 shown in fig. 8, the first device in the method 600 shown in fig. 9, or the first device in the method 700 shown in fig. 10.

The apparatus 1200 shown in fig. 15 includes at least one data plane security processing module and a communication module, where an SA database corresponding to the apparatus 1200 includes N SA information, where N is a natural number greater than 0, each SA information in the N SA information includes an address, an SA identifier, and a security parameter,

a first data plane security processing module 1201, configured to obtain m pieces of SA information from the SA database based on a first address, where m is a natural number greater than 0 and less than or equal to N, the first address is an address of a second device, each piece of SA information in the m pieces of SA information includes the first address, and the first data plane security processing module 1201 is one of at least one data plane security processing module included in the apparatus 1200;

the first data plane security processing module 1201 is further configured to obtain a message to be sent, where a destination address of the message to be sent is a first address;

the first data plane security processing module 1201 is further configured to perform, based on the security parameters included in the m SA information, first security processing on a payload of the message to be sent, and add the SA identifiers of the m SA information to the message to be sent to obtain a first message, where the payload of the first message is a payload after the first security processing;

the communication module 1202 is configured to send the first packet to the second device.

Optionally, the detailed implementation process of the first data plane security processing module 1201 for acquiring the m SA information is described in the above related content in step 701 of the method 700 shown in fig. 10, and will not be described in detail here.

Optionally, the first data plane security processing module 1201 obtains a detailed implementation process of the message to be sent, see the related contents in step 702 of the method 700 shown in fig. 10, and will not be described in detail here.

Optionally, the detailed implementation process of obtaining the first packet by the first data plane security processing module 1201 refers to the relevant content in step 703 of the method 700 shown in fig. 10, and is not described in detail here.

Optionally, the SA database corresponding to the apparatus 1200 further includes attribute information corresponding to the SA information of the N security associations, where the attribute information corresponding to the first SA information of the N SA information includes one or more data plane security protocols capable of using the first SA information,

the first data plane security processing module 1201 is configured to obtain m SA information from an SA database according to the first address and a filtering condition, where attribute information of each SA information in the m SA information satisfies the filtering condition, and the filtering condition includes a data plane security protocol required by the first data plane security processing module 1201.

Optionally, the detailed implementation process of the first data plane security processing module 1201 acquiring the m SA information according to the first address and the filter condition is described in the above related contents in step 701 of the method 700 shown in fig. 10, and will not be described in detail here.

Optionally, the attribute information corresponding to the first SA information in the N SA information further includes a source of the first SA information, the filtering condition further includes a source of the SA information required by the first data plane security processing module 1201,

the first data plane security processing module 1201 is configured to acquire m SA information from the SA database according to the first address, the data plane security protocol included in the filtering condition and required by the first data plane security processing module 1201, and a source of the SA information required by the first data plane security processing module 1201.

Optionally, the first data plane security processing module 1201 obtains the detailed implementation process of the m SA information according to the first address, the data plane security protocol and the source required by the first data plane security processing module, see the related contents in step 701 of the method 700 shown in fig. 10, and will not be described in detail here.

Optionally, the communication module 1202 is further configured to report a security capability of the apparatus 1200, where the security capability includes at least one supported security processing algorithm and/or at least one supported data plane security protocol, so as to support a third device to generate at least one SA information based on a security capability of a second device, a security capability of the apparatus 1200, and a security policy between the apparatus 1200 and the second device, and store the at least one SA information in the SA database,

the security policy is used to indicate a target security process and a target data plane security protocol, each SA information in at least one SA information includes an address of the second device, an SA identifier in each SA information is allocated by the third device, and a security parameter in each SA information is a parameter specified by the security policy and is a parameter supported by both the security capability of the apparatus 1200 and the capability of the second device.

Optionally, the third device is a management device or a negotiation device corresponding to the apparatus 1200, where the management device is configured to generate, for each device of at least three devices, SA information required by each device and a communication peer device of each device, respectively, the at least three devices include the apparatus 1200 and the second device, and the negotiation device corresponding to the apparatus 1200 is configured to negotiate, for the apparatus 1200, SA information required by the apparatus 1200 and the communication peer device.

Optionally, the data plane security protocol includes: media access control security MACSec, internet protocol security IPSec, segment routing internet protocol version six security SRv6Sec, or secure sockets SSL.

Optionally, the apparatus 1200 includes a plurality of data plane security processing modules, and the SA database is an SA database in which at least two data plane security processing modules in the plurality of data plane security processing modules have access rights.

Optionally, the first data plane security processing module 1201 is configured to obtain m SA information from the SA database through the common interface.

Optionally, the common interface comprises a publish/subscribe Pub/Sub interface.

Optionally, the first security process includes one or more of: encryption processing, authentication processing, tamper-proof processing, or replay-proof processing.

The detailed implementation process of the apparatus 1200 for processing a message may refer to the relevant contents in the embodiment shown in fig. 10, and will not be described in detail here.

The embodiment of the apparatus 1200 depicted in fig. 15 is merely illustrative, and for example, the division of the modules is only one logical division, and in actual implementation, there may be other divisions, for example, multiple modules may be combined or integrated into another system, or some features may be omitted, or not implemented. Each functional module in the embodiments of the present application may be integrated into one module, or each module may exist alone physically, or two or more modules are integrated into one module. The above modules in fig. 15 may be implemented in the form of hardware, or may be implemented in the form of software functional units. For example, when implemented in software, the first data plane security processing module 1201 and the communication module 1202 may be implemented by software functional modules generated by at least one processor 901 in fig. 12 reading program codes stored in the memory 902. The above modules in fig. 15 may also be implemented by different hardware in the device 900, for example, the first data plane security processing module 1201 is implemented by a part of processing resources (e.g., one core in a multi-core processor) in at least one processor 901 in fig. 12, and the communication module 1202 is implemented by the network interface 904 and the rest of processing resources (e.g., other cores in the multi-core processor) in at least one processor 901 in fig. 12, or by using a Programmable device such as a Field-Programmable Gate Array (FPGA), or a coprocessor. Obviously, the above functional modules may also be implemented by using a combination of software and hardware, for example, the communication module 1202 is implemented by a hardware programmable device, and the first data plane security processing module 1201 is a software functional module generated after the CPU reads program codes stored in the memory 902.

In the embodiment of the present application, since the first data plane security processing module in the apparatus 1200 can access the SA database. Therefore, the first data plane security processing module acquires m pieces of SA information from the SA database based on the first address, and performs first security processing on the payload of the message to be sent by using the m pieces of SA information. In the conventional scheme, after the original communication connection between the apparatus 1200 and the second device is disconnected, when the connection is reestablished and data needs to be sent, both the apparatus 1200 and the second device need to renegotiate to generate SA information for performing security processing on the data. According to the scheme provided by the embodiment of the application, after the device 1200 establishes connection with the second device each time and needs to send data, the device 1200 and the second device do not need to negotiate to generate SA information, but the first data plane security processing module obtains m pieces of SA information from the SA database based on the first address, and performs security processing on the message to be sent through the m pieces of SA information, so that the security processing efficiency is improved, and the cost of network resources is saved. Since the SA database is a database shared by at least one data plane security processing module in the apparatus 1200, the data plane security processing module in the apparatus 1200 can access the SA database. Since the attribute information corresponding to each SA information in the SA database includes one or more data plane security protocols, the data plane security processing module in the apparatus 1200 obtains m SA information from the SA database based on the first address and the data plane security protocol in the filtering condition, and performs the first security processing on the payload of the packet to be sent using the m SA information. Thus, each SA information in the SA database is unbound from the network security protocol, and each data plane security processing module in the apparatus 1200 can obtain the SA information from the SA database, that is, unbound between the negotiation management of the control plane SA information and the use of the data plane SA information, thereby simplifying the management of the network security protocol and improving the scalability.

Referring to fig. 16, an apparatus 1300 for processing a message is provided in the embodiment of the present application. Optionally, the apparatus 1300 is applied in the network architecture 100 as shown in fig. 4, fig. 5, fig. 6 or fig. 7. Optionally, the apparatus 1300 is deployed on a second device provided in any embodiment described above, for example, the second device 102 in the network architecture 100 shown in fig. 4, fig. 5, fig. 6, or fig. 7, the second device in the method 500 shown in fig. 8, the second device in the method 600 shown in fig. 9, or the second device in the method 800 shown in fig. 11.

The apparatus 1300 shown in fig. 16 includes at least one data plane security processing module and a communication module, where the SA database corresponding to the apparatus 1300 includes M SA information, M is a natural number greater than 0, each of the M SA information includes an SA id and a security parameter,

a communication module 1301, configured to receive a first packet, where the first packet includes M SA identifiers and a payload, and M is a natural number greater than 0 and less than or equal to M;

a second data plane security processing module 1302, configured to obtain m SA information corresponding to the m SA identifiers from an SA database based on the m SA identifiers, where the second data plane security processing module 1302 is a data plane security processing module in at least one data plane security processing module included in the apparatus 1300;

the second data plane security processing module 1302 is further configured to perform second security processing on the payload of the first packet based on the security parameters included in the m SA information.

Optionally, the detailed implementation process of the second data plane security processing module 1302 for acquiring the m SA information is described in the above related content in step 802 of the method 800 shown in fig. 11, and will not be described in detail here.

Optionally, the second data plane security processing module 1302 performs a detailed implementation process of the second security processing on the payload of the first packet, see the related content in step 803 of the method 800 shown in fig. 11, which is not described in detail here.

Optionally, the communication module 1301 is further configured to report, to a third device, the security capability of the apparatus 1300, where the security capability includes at least one supported security processing algorithm and/or at least one supported data plane security protocol, so as to support the third device to generate at least one SA information based on the security capability of the first device, the security capability of the apparatus 1300, and the security policy between the first device and the apparatus 1300, and store the at least one SA information in the SA database,

the security policy is used to indicate a target security process and a target data plane security protocol, the SA identifier in each SA message is assigned by the third device, and the security parameter in each SA message is a parameter specified by the security policy and is a parameter supported by both the security capability of the first device and the capability of the apparatus 1300.

Optionally, the third device is a management device or a negotiation device corresponding to the apparatus 1300, where the management device is configured to generate, for each device of at least three devices, SA information required by each device and a communication peer device of each device, and the at least three devices include the first device and the apparatus 1300, and the negotiation device corresponding to the apparatus 1300 is configured to negotiate, for the apparatus 1300, the SA information required by the apparatus 1300 and the communication peer device.

Optionally, the second data plane security processing module 1302 is configured to obtain, based on the m SA identifiers, m SA information corresponding to the m SA identifiers from the SA database through a public interface.

Optionally, the common interface comprises a publish/subscribe Pub/Sub interface.

Optionally, the second security process includes one or more of: decryption processing, authentication processing, tamper-proof processing or replay-proof processing.

The detailed implementation process of the apparatus 1300 for processing a message can refer to the relevant contents in the embodiment shown in fig. 11, and will not be described in detail here.

The embodiment of apparatus 1300 depicted in fig. 16 is merely illustrative, and for example, the division of the modules is merely a logical division, and in actual implementation, there may be other divisions, for example, multiple modules may be combined or integrated into another system, or some features may be omitted, or not implemented. Each functional module in the embodiments of the present application may be integrated into one module, or each module may exist alone physically, or two or more modules are integrated into one module. The above modules in fig. 16 may be implemented in the form of hardware, or may be implemented in the form of software functional units. For example, when implemented in software, the second data plane security processing module 1302 and the communication module 1301 may be implemented by software functional modules generated by at least one processor 1001 in fig. 13 after reading program codes stored in the memory 1002. The above modules in fig. 16 may also be implemented separately by different hardware in the device 1000, for example, the second data plane security processing module 1302 is implemented by a part of processing resources (e.g., one core in a multi-core processor) in at least one processor 1001 in fig. 13, and the communication module 1301 is implemented by the network interface 1004 in fig. 13 and the rest of processing resources (e.g., other cores in the multi-core processor) in at least one processor 1001, or implemented by a Programmable device such as a Field-Programmable Gate Array (FPGA), or a coprocessor. Obviously, the above functional modules may also be implemented by a combination of software and hardware, for example, the communication module 1301 is implemented by a hardware programmable device, and the second data plane security processing module 1302 is a software functional module generated by the CPU reading the program code stored in the memory 1002.

In this embodiment of the present application, the second data plane security processing module in the apparatus 1300 obtains m SA information from the SA database based on the m SA identifiers, so as to perform the second security processing on the payload of the first packet by using the m SA information. Therefore, when the apparatus 1300 establishes a connection with the first device and receives the first message each time, the second data plane security processing module obtains the SA information from the SA database, and processes the first message using the SA information, and the apparatus 1300 and the first device do not need to negotiate to generate the SA information first, thereby improving the security processing efficiency and saving the cost of network resources.

Referring to fig. 17, an embodiment of the present application provides an apparatus 1400 for acquiring SA information of a security association. Optionally, the apparatus 1400 is applied in the network architecture 100 as shown in fig. 4, fig. 5, fig. 6 or fig. 7. Optionally, the apparatus 1400 is deployed on the first device, the second device, the third device, the first negotiation device, or the second negotiation device provided in any of the above embodiments. For example, the first device 101 or the second device 102 in the network architecture 100 shown in fig. 4, 5, 6, or 7, the third device in the method 500 shown in fig. 8, the first device in the method 600 shown in fig. 9, the third device 105 in the network architecture 100 shown in fig. 5 or 6, or the first negotiation device 106 or the second negotiation device 107 in the network architecture 100 shown in fig. 7. The apparatus 1400 comprises:

an obtaining unit 1401, configured to obtain a security capability of a first device, a security capability of a second device, and a security policy between the first device and the second device, where the security capability of the first device includes a security processing algorithm supported by the first device and/or a data plane security protocol supported by the first device, the security capability of the second device includes a security processing algorithm supported by the second device and/or a data plane security protocol supported by the second device, and the security policy is used to indicate a target security process and a target data plane protocol;

a processing unit 1402, configured to generate at least one SA information based on the security capability of the first device, the security capability of the second device, and the security policy, where each SA information in the at least one SA information includes a first address, an SA identifier, and a security parameter; the security parameters are parameters specified by the security policy and are parameters supported by both the security capabilities of the first device and the security capabilities of the second device.

Optionally, the obtaining unit 1401 obtains the security capability of the first device, the security capability of the second device, and a detailed implementation procedure of the security policy between the first device and the second device, see the related contents in step 503 of the method 500 shown in fig. 8, and the related contents in steps 601 and 603 of the method 600 shown in fig. 9, which are not described in detail herein.

Optionally, the detailed implementation process of the processing unit 1402 for generating at least one SA information is described in detail in step 504 of the method 500 shown in fig. 8, and in steps 604-607 of the method 600 shown in fig. 9, and will not be described in detail here.

Optionally, the processing unit 1402 is further configured to:

and generating attribute information corresponding to at least one piece of SA information based on the security capability of the first device, the security capability of the second device and the security policy, wherein the attribute information corresponding to the first SA information in the at least one piece of SA information comprises one or more data plane security protocols capable of using the first SA information.

Optionally, the detailed implementation process of the processing unit 1402 generating the attribute information corresponding to the at least one SA information is described in detail with reference to the related contents in step 504 of the method 500 shown in fig. 8, and the related contents in steps 604-607 of the method 600 shown in fig. 9, and will not be described in detail here.

Optionally, the processing unit 1402 is configured to:

acquiring a protocol set and an algorithm set based on the security capability of the first device, the security capability of the second device and a security policy, wherein the protocol set is an intersection of a data plane security protocol supported by the first device, a data plane security protocol supported by the second device and a target data plane security protocol, and the algorithm set is an intersection of a security processing algorithm supported by the first device and a security processing algorithm supported by the second device;

at least one SA message is generated based on the set of protocols, the set of algorithms, and the target security process.

Optionally, the processing unit 1402 obtains detailed implementation procedures of the protocol set and the algorithm set, see the related contents in steps 5041-5042 of the method 500 shown in fig. 8, and the related contents in step 603 of the method 600 shown in fig. 9, which are not described in detail herein.

Optionally, the detailed implementation process of the processing unit 1402 generating at least one SA message is described in detail in step 5043 of the method 500 shown in fig. 8, and in steps 604-607 of the method 600 shown in fig. 9, and will not be described in detail herein.

Optionally, the processing unit 1402 is further configured to:

and storing at least one piece of SA information in an SA database corresponding to the first device, and/or storing at least one piece of SA information in an SA database corresponding to the second device.

The embodiment of the apparatus 1400 depicted in fig. 17 is merely illustrative, and for example, the division of the units is only one logical division, and in actual implementation, there may be other divisions, for example, multiple units may be combined or may be integrated into another system, or some features may be omitted, or not executed. Each functional unit in the embodiments of the present application may be integrated into one unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The above units in fig. 17 may be implemented in the form of hardware, or may be implemented in the form of software functional units. For example, when implemented in software, the obtaining unit 1401 and the processing unit 1402 may be implemented by software functional modules generated by at least one processor 1101 in fig. 14 after reading program codes stored in the memory 1102. The above units in fig. 17 may also be implemented by different hardware in the device 1100, for example, the obtaining unit 1401 is implemented by a part of processing resources (e.g., one core in a multi-core processor) in at least one processor 1101 in fig. 14, and the processing unit 1402 is implemented by the rest of processing resources (e.g., other cores in the multi-core processor) in at least one processor 1101 in fig. 4, or is implemented by a Programmable device such as a Field-Programmable Gate Array (FPGA) or a coprocessor. Obviously, the above functional units may also be implemented by using a combination of software and hardware, for example, the obtaining unit 1401 is implemented by a hardware programmable device, and the processing unit 1402 is a software functional module generated by the CPU reading the program code stored in the memory 1102.

In this embodiment of the present application, the apparatus 1400 obtains the security capability of the first device, the security capability of the second device, and the security policy between the first device and the second device. And generating at least one piece of SA information based on the security capability of the first device, the security capability of the second device and the security policy, and storing the SA information into an SA database. After the first device establishes connection with the second device every time and needs to send data, the first device and the second device do not need to negotiate to generate SA information, but a first data plane security processing module in the first device obtains m pieces of SA information from an SA database based on a first address, and performs security processing on a message to be sent through the m pieces of SA information, so that the security processing efficiency is improved, and the expenditure of network resources is saved.

The embodiment of the present application provides a system for processing a message, which is shown in fig. 4 to 7. The system comprises the apparatus 900 as described in fig. 12 and the apparatus 1000 as described in fig. 13, or comprises the apparatus 1200 as shown in fig. 15 and the apparatus 1300 as shown in fig. 16.

Alternatively, the apparatus 900 shown in fig. 12 or the apparatus 1200 shown in fig. 15 is the first device in fig. 4-7, and the apparatus 1000 shown in fig. 13 or the apparatus 1300 shown in fig. 16 is the second device 1502 in fig. 4-7.

Optionally, the system further comprises the apparatus 1100 shown in fig. 14 or the apparatus 1400 shown in fig. 17.

Alternatively, the apparatus 1100 shown in fig. 14 or the apparatus 1400 shown in fig. 17 is the third device in fig. 5.

Optionally, the third device is a first negotiation device corresponding to the first device in fig. 7, or is a second negotiation device corresponding to the second device.

It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

The above description is intended only to illustrate the alternative embodiments of the present application, and not to limit the present application, and any modifications, equivalents, improvements, etc. made within the principle of the present application should be included in the scope of the present application.

Claims (47)

1. A method for processing a packet is applied to a first device, where the first device includes at least one data plane security processing module, a Security Alliance (SA) database corresponding to the first device includes N pieces of SA information, where N is a natural number greater than 0, and each piece of SA information in the N pieces of SA information includes an address, an SA identifier, and a security parameter, respectively, where the method includes:

the first data plane security processing module acquires m pieces of SA information from the SA database based on a first address, wherein m is a natural number which is greater than 0 and less than or equal to N, the first address is an address of a second device, each piece of SA information in the m pieces of SA information comprises the first address, and the first data plane security processing module is one of at least one data plane security module included in the first device;

the first data plane security processing module acquires a message to be sent, wherein the destination address of the message to be sent is the first address;

the first data plane security processing module performs first security processing on the payload of the message to be sent based on the security parameters included in the m pieces of SA information, and adds SA identifiers of the m pieces of SA information in the message to be sent to obtain a first message, wherein the payload of the first message is the payload after the first security processing;

and the communication interface of the first equipment sends the first message to the second equipment.

2. The method of claim 1, wherein the SA database corresponding to the first device further includes attribute information corresponding to the SA information of the N security associations, respectively, the attribute information corresponding to a first SA information of the N includes one or more data plane security protocols capable of using the first SA information,

the first data plane security processing module acquires m pieces of SA information from the SA database based on the first address, including:

the first data plane security processing module acquires m pieces of SA information from the SA database according to the first address and a filtering condition, wherein the attribute information of each piece of SA information in the m pieces of SA information meets the filtering condition, and the filtering condition comprises a data plane security protocol required by the first data plane security processing module.

3. The method according to claim 2, wherein the attribute information corresponding to a first SA information in the N SA information further includes a source of the first SA information, the filter condition further includes a source of the SA information required by the first data plane security processing module,

the first data plane security processing module acquires m SA information from the SA database according to the first address and the filtering condition, and includes:

the first data plane security processing module acquires m SA information from the SA database according to the first address, and a data plane security protocol required by the first data plane security processing module and a source of SA information required by the first data plane security processing module included in the filter condition.

4. The method of claim 1, wherein the first data plane security processing module obtains m SA information from the SA database based on the first address, comprising:

the first data plane security processing module acquires x pieces of SA information from the SA database based on the first address, wherein x is a natural number which is greater than or equal to m and less than or equal to N;

the first data plane security processing module selects the m pieces of SA information from the x pieces of SA information based on a random mode or a polling mode.

5. The method of any of claims 1-4, wherein before the first data plane security processing module obtains m SA information from the SA database based on the first address, the method further comprises:

the first device reports the security capability of the first device to a third device, where the security capability includes at least one supported security processing algorithm and/or at least one supported data plane security protocol, so as to support the third device to generate at least one SA information based on the security capability of a second device, the security capability of the first device, and a security policy between the first device and the second device, and store the at least one SA information in an SA database,

the security policy is used to indicate a target security process and a target data plane security protocol, each SA information in the at least one SA information includes an address of the second device, an SA identifier in each SA information is allocated by the third device, and a security parameter in each SA information is a parameter specified by the security policy and is a parameter supported by both the security capability of the first device and the capability of the second device.

6. The method of claim 5, wherein the third device is a management device or a negotiation device corresponding to the first device, and wherein the management device is configured to generate, for each of at least three devices, SA information required by each device and a communication peer device of each device, respectively, and the at least three devices include the first device and the second device, and the negotiation device corresponding to the first device is configured to negotiate, for the first device, the SA information required by the first device and the communication peer device.

7. The method of any of claims 2, 3, 5 and 6, wherein the data plane security protocol comprises: media access control security MACSec, internet protocol security IPSec, segment routing internet protocol version six security SRv6Sec, or secure sockets SSL.

8. The method of any one of claims 1-7, wherein the first device includes a plurality of data plane security processing modules, and the SA database is an SA database in which at least two of the plurality of data plane security processing modules have access rights.

9. The method of any of claims 1-8, wherein the first data plane security processing module obtains the m SA information from the SA database through a common interface.

10. The method of claim 9, wherein the common interface comprises a publish/subscribe Pub/Sub interface.

11. The method of any one of claims 1-10, wherein the first security process comprises one or more of: encryption processing, authentication processing, tamper-proof processing or replay-proof processing.

12. A method for processing a packet is applied to a second device, where the second device includes at least one data plane security processing module, a security association SA database corresponding to the second device includes M pieces of SA information, where M is a natural number greater than 0, and each piece of SA information in the M pieces of SA information includes an SA identifier and a security parameter, and the method includes:

the second equipment receives a first message, wherein the first message comprises M SA identifiers and a payload, and M is a natural number which is greater than 0 and less than or equal to M;

a second data plane security processing module acquires m pieces of SA information corresponding to the m SA identifiers from the SA database based on the m SA identifiers, wherein the second data plane security processing module is one of at least one data plane security processing module included in the second device;

and the second data surface security processing module performs second security processing on the payload of the first message based on the security parameters included in the m pieces of SA information.

13. The method of claim 12, wherein before the second data plane security processing module obtains m SA information corresponding to the m SA identifiers from the SA database based on the m SA identifiers, the method further comprises:

the second device reports the security capability of the second device to a third device, where the security capability includes at least one supported security processing algorithm and/or at least one supported data plane security protocol, so as to support the third device to generate at least one SA information based on the security capability of the first device, the security capability of the second device, and a security policy between the first device and the second device, and store the at least one SA information in the SA database,

the security policy is used to indicate a target security process and a target data plane security protocol, the SA identifier in each SA message is assigned by the third device, and the security parameter in each SA message is a parameter specified by the security policy and is a parameter supported by both the security capability of the first device and the capability of the second device.

14. The method according to claim 13, wherein the third device is a management device or a negotiation device corresponding to the second device, where the management device is configured to generate, for each of at least three devices, SA information required by each device and a communication peer device of each device, respectively, where the at least three devices include the first device and the second device, and the negotiation device corresponding to the second device is configured to negotiate, for the second device, SA information required by the second device and the communication peer device.

15. The method according to any one of claims 12 to 14, wherein the obtaining, by the second data plane security processing module, m SA information corresponding to the m SA identifiers from the SA database based on the m SA identifiers includes:

and the second data surface safety processing module acquires m pieces of SA information corresponding to the m pieces of SA identifiers from the SA database through a public interface based on the m pieces of SA identifiers.

16. The method of claim 15, wherein the common interface comprises a publish/subscribe Pub/Sub interface.

17. The method of any of claims 12-16, wherein the second security process comprises one or more of: decryption processing, authentication processing, tamper-proof processing or replay-proof processing.

18. A method for acquiring Security Association (SA) information, the method comprising:

the method comprises the steps of obtaining the security capability of a first device, the security capability of a second device and a security policy between the first device and the second device, wherein the security capability of the first device comprises a security processing algorithm supported by the first device and/or a data plane security protocol supported by the first device, the security capability of the second device comprises a security processing algorithm supported by the second device and/or a data plane security protocol supported by the second device, and the security policy is used for indicating a target security processing and a target data plane protocol;

generating at least one SA information based on the security capability of the first device, the security capability of the second device and the security policy, wherein each SA information in the at least one SA information comprises the first address, an SA identifier and a security parameter; the security parameter is a parameter specified by the security policy and is a parameter supported by both the security capability of the first device and the security capability of the second device.

19. The method of claim 18, wherein the method further comprises:

and generating attribute information corresponding to the at least one piece of SA information based on the security capability of the first device, the security capability of the second device and the security policy, wherein the attribute information corresponding to the first SA information in the at least one piece of SA information comprises one or more data plane security protocols capable of using the first SA information.

20. The method of claim 18 or 19, wherein the generating at least one SA information based on the security capabilities of the first device, the security capabilities of the second device, and the security policy comprises:

acquiring a protocol set and an algorithm set based on the security capability of the first device, the security capability of the second device and the security policy, wherein the protocol set is an intersection of a data plane security protocol supported by the first device, a data plane security protocol supported by the second device and the target data plane security protocol, and the algorithm set is an intersection of a security processing algorithm supported by the first device and a security processing algorithm supported by the second device;

generating at least one SA information based on the set of protocols, the set of algorithms, and the target security treatment.

21. The method of claim 19, wherein the security parameters in the first SA information include a first security processing algorithm and parameters required by the first security processing algorithm, the first security processing algorithm is an algorithm in the set of algorithms and the data plane security protocol to which the first security processing algorithm corresponds is a protocol in the set of protocols.

22. The method of any one of claims 18-21, wherein the method further comprises:

and storing the at least one piece of SA information in an SA database corresponding to the first device, and/or storing the at least one piece of SA information in an SA database corresponding to the second device.

23. A device for processing messages is characterized in that the device is used as a first device and comprises at least one data plane security processing module and a communication module, a security alliance SA database corresponding to the device comprises N pieces of SA information, wherein N is a natural number larger than 0, each piece of SA information in the N pieces of SA information respectively comprises an address, an SA identifier and a security parameter,

a first data plane security processing module, configured to obtain m pieces of SA information from the SA database based on a first address, where m is a natural number greater than 0 and less than or equal to N, the first address is an address of a second device, each piece of SA information in the m pieces of SA information includes the first address, and the first data plane security processing module is one of at least one data plane security processing module included in the apparatus;

the first data plane security processing module is further configured to acquire a message to be sent, where a destination address of the message to be sent is the first address;

the first data plane security processing module is further configured to perform first security processing on a payload of the message to be sent based on security parameters included in the m SA information, and add SA identifiers of the m SA information to the message to be sent to obtain a first message, where the payload of the first message is the payload after the first security processing;

and the communication module is used for sending the first message to the second equipment.

24. The apparatus of claim 23, wherein the SA database corresponding to the apparatus further comprises attribute information corresponding to the respective N SA information, wherein the attribute information corresponding to a first SA information in the N SA information comprises one or more data plane security protocols capable of using the first SA information,

the first data plane security processing module is configured to obtain m SA information from the SA database according to the first address and a filtering condition, where attribute information of each SA information in the m SA information satisfies the filtering condition, and the filtering condition includes a data plane security protocol required by the first data plane security processing module.

25. The apparatus of claim 24, wherein the attribute information corresponding to a first SA information of the N SA information further includes a source of the first SA information, the filter condition further includes a source of the SA information required by the first data plane security processing module,

the first data plane security processing module is configured to obtain m SA information from the SA database according to the first address, and a data plane security protocol required by the first data plane security processing module and a source of SA information required by the first data plane security processing module, where the data plane security protocol and the source of SA information are included in the filter condition.

26. The apparatus of any one of claims 23-25,

the communication module is further configured to report a security capability of the apparatus, where the security capability includes at least one supported security processing algorithm and/or at least one supported data plane security protocol, so as to support the third device to generate at least one SA information based on a security capability of a second device, a security capability of the apparatus, and a security policy between the apparatus and the second device, and store the at least one SA information in the SA database,

the security policy is used to indicate a target security process and a target data plane security protocol, each SA message in the at least one SA message includes an address of the second device, an SA identifier in each SA message is assigned by the third device, and a security parameter in each SA message is a parameter specified by the security policy and is a parameter supported by both the security capability of the apparatus and the capability of the second device.

27. The apparatus of claim 26, wherein the third device is a management device or a negotiation device corresponding to the apparatus, the management device is configured to generate, for each of at least three devices, SA information required by each device and a communication peer device of each device, respectively, the at least three devices include the apparatus and the second device, and the negotiation device corresponding to the apparatus is configured to negotiate, for the apparatus, the SA information required by the apparatus and the communication peer device.

28. The apparatus of any one of claims 24-27, wherein the data plane security protocol comprises: media access control security MACSec, internet protocol security IPSec, segment routing internet protocol version six security SRv6Sec, or secure sockets SSL.

29. The apparatus according to any one of claims 23-28, wherein the apparatus comprises a plurality of data plane security processing modules, and the SA database is an SA database in which at least two data plane security processing modules of the plurality of data plane security processing modules have access rights.

30. The apparatus of any one of claims 23-29, wherein the first data plane security processing module is configured to obtain the m SA information from the SA database via a common interface.

31. The apparatus of claim 30, wherein the common interface comprises a publish/subscribe Pub/Sub interface.

32. The apparatus of any of claims 23-31, wherein the first security process comprises one or more of: encryption processing, authentication processing, tamper-proof processing, or replay-proof processing.

33. A device for processing messages is characterized in that the device is used as a second device and comprises at least one data plane security processing module and a communication module, a security alliance SA database corresponding to the device comprises M pieces of SA information, wherein M is a natural number larger than 0, each piece of SA information in the M pieces of SA information comprises an SA identifier and a security parameter,

the communication module is used for receiving a first message, wherein the first message comprises M SA identifiers and a payload, and M is a natural number which is greater than 0 and less than or equal to M;

a second data plane security processing module, configured to obtain m SA information corresponding to the m SA identifiers from the SA database based on the m SA identifiers, where the second data plane security processing module is a data plane security processing module of at least one data plane security processing module included in the apparatus;

and the second data plane security processing module is further configured to perform second security processing on the payload of the first packet based on the security parameters included in the m SA information.

34. The apparatus of claim 33,

the communication module is further configured to report a security capability of the apparatus to a third device, where the security capability includes at least one supported security processing algorithm and/or at least one supported data plane security protocol, so as to support the third device to generate at least one SA information based on the security capability of the first device, the security capability of the apparatus, and a security policy between the first device and the apparatus, and store the at least one SA information in the SA database,

the security policy is used to indicate a target security process and a target data plane security protocol, the SA identifier in each SA message is assigned by the third device, and the security parameter in each SA message is a parameter specified by the security policy and is a parameter supported by both the security capability of the first device and the capability of the apparatus.

35. The apparatus of claim 34, wherein the third device is a management device or a negotiation device corresponding to the apparatus, wherein the management device is configured to generate, for each of at least three devices, SA information required by each device and a device on a communication peer of the each device, respectively, and the at least three devices include the first device and the apparatus, and the negotiation device corresponding to the apparatus is configured to negotiate, for the apparatus, SA information required by the apparatus and the device on the communication peer.

36. The apparatus according to any one of claims 33-35, wherein the second data plane security processing module is configured to obtain, based on the m SA identities, m SA information corresponding to the m SA identities from the SA database through a common interface.

37. The apparatus of claim 36, wherein the common interface comprises a publish/subscribe Pub/Sub interface.

38. The apparatus of any of claims 33-37, wherein the second security process comprises one or more of: decryption processing, authentication processing, tamper-proof processing or replay-proof processing.

39. An apparatus for acquiring Security Association (SA) information, wherein the apparatus, as a third device, comprises:

an obtaining unit, configured to obtain a security capability of a first device, a security capability of a second device, and a security policy between the first device and the second device, where the security capability of the first device includes a security processing algorithm supported by the first device and/or a data plane security protocol supported by the first device, the security capability of the second device includes a security processing algorithm supported by the second device and/or a data plane security protocol supported by the second device, and the security policy is used to indicate a target security processing and a target data plane protocol;

a processing unit, configured to generate at least one SA information based on the security capability of the first device, the security capability of the second device, and the security policy, where each SA information in the at least one SA information includes the first address, an SA identifier, and a security parameter; the security parameter is a parameter specified by the security policy and is a parameter supported by both the security capability of the first device and the security capability of the second device.

40. The apparatus as recited in claim 39, said processing unit to further:

and generating attribute information corresponding to the at least one piece of SA information based on the security capability of the first device, the security capability of the second device and the security policy, wherein the attribute information corresponding to a first SA information in the at least one piece of SA information comprises one or more data plane security protocols capable of using the first SA information.

41. The apparatus as claimed in claim 39 or 40, wherein said processing unit is configured to:

acquiring a protocol set and an algorithm set based on the security capability of the first device, the security capability of the second device and the security policy, wherein the protocol set is an intersection of a data plane security protocol supported by the first device, a data plane security protocol supported by the second device and the target data plane security protocol, and the algorithm set is an intersection of a security processing algorithm supported by the first device and a security processing algorithm supported by the second device;

generating at least one SA information based on the set of protocols, the set of algorithms, and the target security treatment.

42. The apparatus according to any one of claims 39-41, wherein the processing unit is further configured to:

and storing the at least one piece of SA information in an SA database corresponding to the first device, and/or storing the at least one piece of SA information in an SA database corresponding to the second device.

43. A system for processing messages, characterized in that the system comprises an apparatus according to any of claims 23-32 and an apparatus according to any of claims 33-38.

44. The system of claim 43, further comprising an apparatus as set forth in any one of claims 39-42.

45. A computer-readable storage medium, on which a computer program is stored, which, when executed by a computer, carries out the method according to any one of claims 1-22.

46. An apparatus for processing messages, comprising a memory, a processor and a computer program stored on the memory, the processor, when executing the computer program, causing the apparatus to carry out the method according to any one of claims 1 to 17.

47. An apparatus for obtaining security association SA information, comprising a memory, a processor, and a computer program stored on the memory, the processor when executing the computer program causing the apparatus to perform the method of any of claims 18-22.

Images